{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23275", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.991Z", "datePublished": "2026-03-20T08:08:55.857Z", "dateUpdated": "2026-05-11T22:03:42.916Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:03:42.916Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: ensure ctx->rings is stable for task work flags manipulation\n\nIf DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while\nthe ring is being resized, it's possible for the OR'ing of\nIORING_SQ_TASKRUN to happen in the small window of swapping into the\nnew rings and the old rings being freed.\n\nPrevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is\nprotected by RCU. The task work flags manipulation is inside RCU\nalready, and if the resize ring freeing is done post an RCU synchronize,\nthen there's no need to add locking to the fast path of task work\nadditions.\n\nNote: this is only done for DEFER_TASKRUN, as that's the only setup mode\nthat supports ring resizing. If this ever changes, then they too need to\nuse the io_ctx_mark_taskrun() helper."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/io_uring_types.h", "io_uring/io_uring.c", "io_uring/register.c", "io_uring/tw.c"], "versions": [{"version": "79cfe9e59c2a12c3b3faeeefe38d23f3d8030972", "lessThan": "7cc4530b3e952d4a5947e1e55d06620d8845d4f5", "status": "affected", "versionType": "git"}, {"version": "79cfe9e59c2a12c3b3faeeefe38d23f3d8030972", "lessThan": "46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1", "status": "affected", "versionType": "git"}, {"version": "79cfe9e59c2a12c3b3faeeefe38d23f3d8030972", "lessThan": "96189080265e6bb5dde3a4afbaf947af493e3f82", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/io_uring_types.h", "io_uring/io_uring.c", "io_uring/register.c", "io_uring/tw.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7cc4530b3e952d4a5947e1e55d06620d8845d4f5"}, {"url": "https://git.kernel.org/stable/c/46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1"}, {"url": "https://git.kernel.org/stable/c/96189080265e6bb5dde3a4afbaf947af493e3f82"}], "title": "io_uring: ensure ctx->rings is stable for task work flags manipulation", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D394AC60-6F28-435F-872A-CCDF384B8331", "versionEndExcluding": "6.18.19", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E825E7C3-FEAC-4FD3-8A81-78D7387948C9", "versionEndExcluding": "6.19.9", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: ensure ctx->rings is stable for task work flags manipulation\n\nIf DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while\nthe ring is being resized, it's possible for the OR'ing of\nIORING_SQ_TASKRUN to happen in the small window of swapping into the\nnew rings and the old rings being freed.\n\nPrevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is\nprotected by RCU. The task work flags manipulation is inside RCU\nalready, and if the resize ring freeing is done post an RCU synchronize,\nthen there's no need to add locking to the fast path of task work\nadditions.\n\nNote: this is only done for DEFER_TASKRUN, as that's the only setup mode\nthat supports ring resizing. If this ever changes, then they too need to\nuse the io_ctx_mark_taskrun() helper."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nio_uring: asegurar que ctx->rings sea estable para la manipulaci\u00f3n de las banderas de trabajo de tarea\n\nSi se usa DEFER_TASKRUN | SETUP_TASKRUN y se a\u00f1ade trabajo de tarea mientras el anillo est\u00e1 siendo redimensionado, es posible que la operaci\u00f3n OR de IORING_SQ_TASKRUN ocurra en la peque\u00f1a ventana de intercambio a los nuevos anillos y la liberaci\u00f3n de los anillos antiguos.\n\nEsto se previene a\u00f1adiendo un segundo puntero ->rings, ->rings_rcu, el cual est\u00e1 protegido por RCU. La manipulaci\u00f3n de las banderas de trabajo de tarea ya est\u00e1 dentro de RCU, y si la liberaci\u00f3n del anillo redimensionado se realiza despu\u00e9s de una sincronizaci\u00f3n RCU, entonces no hay necesidad de a\u00f1adir bloqueo a la ruta r\u00e1pida de las adiciones de trabajo de tarea.\n\nNota: esto solo se hace para DEFER_TASKRUN, ya que ese es el \u00fanico modo de configuraci\u00f3n que soporta el redimensionamiento de anillos. Si esto alguna vez cambia, entonces ellos tambi\u00e9n necesitar\u00e1n usar la funci\u00f3n auxiliar io_ctx_mark_taskrun()."}], "id": "CVE-2026-23275", "lastModified": "2026-05-22T18:16:37.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-20T09:16:13.223", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7cc4530b3e952d4a5947e1e55d06620d8845d4f5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/96189080265e6bb5dde3a4afbaf947af493e3f82"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: io_uring: ensure ctx->rings is stable for task work flags manipulation", "id": "2449558", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449558"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-366", "details": ["A flaw was found in the Linux kernel's io_uring subsystem. This vulnerability occurs during the resizing of an io_uring ring when task work is added with specific flags (DEFER_TASKRUN or SETUP_TASKRUN). A race condition allows the IORING_SQ_TASKRUN flag to be set in an unstable memory region, which can lead to unpredictable system behavior or system instability."], "name": "CVE-2026-23275", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23275\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23275\nhttps://lore.kernel.org/linux-cve-announce/2026032035-CVE-2026-23275-33fe@gregkh/T"], "statement": "This flaw affects io_uring applications using DEFER_TASKRUN mode with ring resizing. The race window exists between swapping to a new rings structure and freeing the old one, where task work can manipulate flags in freed memory. Exploiting this requires an application using the specific io_uring configuration and triggering ring resize operations concurrently with task work additions.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[79cfe9e59c2a12c3b3faeeefe38d23f3d8030972,7cc4530b3e952d4a5947e1e55d06620d8845d4f5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[79cfe9e59c2a12c3b3faeeefe38d23f3d8030972,46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[79cfe9e59c2a12c3b3faeeefe38d23f3d8030972,96189080265e6bb5dde3a4afbaf947af493e3f82)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.19,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.9,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "7.0-rc4"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-02T16:45:10.845380+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that includes the io_uring ring stability fix", "If update is not immediately available, verify distribution security advisories for interim patches", "Monitor kernel updates and verify the patch is in place by checking the kernel version and commit log"], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel distributions are potentially affected when the affected kernel version implements the io_uring feature set described. No specific kernel release versions are listed in the available data, so any kernel that includes io_uring support prior to the fix should be considered vulnerable.", "description_and_impact": "A race condition exists in the Linux kernel io_uring subsystem that may cause the IORING_SQ_TASKRUN flag to be incorrectly applied while a ring buffer is being resized. During the brief window when the old rings are freed and replacement rings are swapped in, the task work flags manipulation can corrupt memory or cause a kernel crash. The vulnerable behavior does not directly grant an attacker code execution, but a crash could allow a local privileged attacker to gain escalated privileges or disrupt system availability.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity vulnerability, and the low EPSS (<1%) suggests exploitation is unlikely in the wild. The vulnerability is not currently listed in the CISA KEV catalog. The attack vector is local to the kernel, requiring the attacker to execute privileged code that can manipulate task work or trigger a ring resize. Because the issue is tied to kernel memory management, exploitation would be relatively complex and is not known to be actively weaponized."}}}}, "created": "2026-03-20T10:36:44.287209+00:00", "updated": "2026-04-02T20:23:15.543695+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}