Impact
The flaw occurs during bundle receive retries in the Linux kernel's io_uring subsystem. When a retry merges the completion flags from a previous iteration with the new one, the IORING_CQE_F_BUF_MORE flag is incorrectly propagated or retained. This flag tells userspace that a buffer will be reused, but because it is mishandled the kernel may advance the buffer ring head past a buffer still in use. The result can be kernel memory corruption or a denial‑of‑service due to misuse of the shared buffer ring. The weakness is a buffer handling flaw (CWE‑1285).
Affected Systems
The vulnerability affects the Linux kernel. All kernel revisions released before the patch are potentially impacted. No userspace products beyond the kernel are directly affected.
Risk and Exploitability
The CVSS score of 7.8 indicates high severity, but the EPSS score of less than 1% and absence from the CISA KEV catalog suggest limited public exploitation. Based on the description, the likely attack vector is a local application that uses io_uring with buffer rings and bundle receive operations. The attacker would need to run code on the target system, either as the same user or with elevated privileges, to trigger repeated bundle receives that contain incomplete buffers. No exploits have been reported yet, so the impact remains theoretical, but the potential for kernel crashes makes the vulnerability significant.
OpenCVE Enrichment