CVE-2026-23275
Published: Mar 20, 2026
Modified: May 11, 2026
CVSS v3.1
7.8
Description
In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being freed. Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is protected by RCU. The task work flags manipulation is inside RCU already, and if the resize ring freeing is done post an RCU synchronize, then there's no need to add locking to the fast path of task work additions. Note: this is only done for DEFER_TASKRUN, as that's the only setup mode that supports ring resizing. If this ever changes, then they too need to use the io_ctx_mark_taskrun() helper.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 79cfe9e59c2a12c3b3faeeefe38d23f3d8030972 - < 7cc4530b3e952d4a5947e1e55d06620d8845d4f5affected 79cfe9e59c2a12c3b3faeeefe38d23f3d8030972 - < 46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1affected 79cfe9e59c2a12c3b3faeeefe38d23f3d8030972 - < 96189080265e6bb5dde3a4afbaf947af493e3f82 |
Linux | Linux | affected 6.13unaffected 0 - < 6.13unaffected 6.18.19 - <= 6.18.*unaffected 6.19.9 - <= 6.19.*unaffected 7.0 - <= * |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now