Impact
The Linux kernel vulnerability stems from an incorrect signed comparison in io_poll_get_ownership() that checks whether poll_refs has reached a threshold for the slow path: if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) . Because atomic_read() returns a signed int, setting the IO_POLL_CANCEL_FLAG bit (BIT(31)) causes the value to become negative in signed arithmetic, so the comparison always fails and the slow path that cancels a pending request is never entered. This oversight can allow an io_uring poll request to remain pending indefinitely, potentially exhausting kernel resources and resulting in a denial of service. The flaw is a signed comparison error – a CWE‑1024 weakness. Ongoing risk remains high for systems that have not adopted the patch that casts the atomic_read() result to unsigned before performing the comparison. The CVSS score of 7.8 indicates a high severity for the vulnerability, while the EPSS score of <1% suggests a low probability of exploitation at this time. The flaw requires local access for an attacker capable of submitting io_uring poll requests. The vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread attacks. States that local attackers with sufficient privileges could cause resource exhaustion or deny service by abusing long‑running io_uring poll requests until the kernel patch is applied. The likely attack vector is local, affecting any user sharing the compromised kernel instance. The impact includes denial of service to users on the affected system.
Affected Systems
All Linux kernels that have not incorporated the patch commit 326941b22806cbf2df1fbfe902b7908b368cce42 or an equivalent change are affected. The CNA lists the product as Linux:Linux, so any distribution kernel built from the impacted source lines is impacted. The specific version range is not enumerated in the CNA data, but any build prior to the patch is vulnerable.
Risk and Exploitability
The CVSS score of 7.8 indicates high severity, while the EPSS score of <1% shows a low probability of exploitation at this time. The vulnerability is not listed in CISA KEV, suggesting no known widespread attacks have been observed. The flaw requires local access to the kernel—an attacker with sufficient privileges who can submit io_uring poll requests could cause resource exhaustion or denial of operations. The attack vector is local, affecting all users sharing the compromised kernel instance.
OpenCVE Enrichment
Debian DLA
Ubuntu USN