{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23275", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.991Z", "datePublished": "2026-03-20T08:08:55.857Z", "dateUpdated": "2026-03-20T08:08:55.857Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-20T08:08:55.857Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: ensure ctx->rings is stable for task work flags manipulation\n\nIf DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while\nthe ring is being resized, it's possible for the OR'ing of\nIORING_SQ_TASKRUN to happen in the small window of swapping into the\nnew rings and the old rings being freed.\n\nPrevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is\nprotected by RCU. The task work flags manipulation is inside RCU\nalready, and if the resize ring freeing is done post an RCU synchronize,\nthen there's no need to add locking to the fast path of task work\nadditions.\n\nNote: this is only done for DEFER_TASKRUN, as that's the only setup mode\nthat supports ring resizing. If this ever changes, then they too need to\nuse the io_ctx_mark_taskrun() helper."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/io_uring_types.h", "io_uring/io_uring.c", "io_uring/register.c", "io_uring/tw.c"], "versions": [{"version": "79cfe9e59c2a12c3b3faeeefe38d23f3d8030972", "lessThan": "7cc4530b3e952d4a5947e1e55d06620d8845d4f5", "status": "affected", "versionType": "git"}, {"version": "79cfe9e59c2a12c3b3faeeefe38d23f3d8030972", "lessThan": "46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1", "status": "affected", "versionType": "git"}, {"version": "79cfe9e59c2a12c3b3faeeefe38d23f3d8030972", "lessThan": "96189080265e6bb5dde3a4afbaf947af493e3f82", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/io_uring_types.h", "io_uring/io_uring.c", "io_uring/register.c", "io_uring/tw.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.0-rc4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7cc4530b3e952d4a5947e1e55d06620d8845d4f5"}, {"url": "https://git.kernel.org/stable/c/46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1"}, {"url": "https://git.kernel.org/stable/c/96189080265e6bb5dde3a4afbaf947af493e3f82"}], "title": "io_uring: ensure ctx->rings is stable for task work flags manipulation", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: ensure ctx->rings is stable for task work flags manipulation\n\nIf DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while\nthe ring is being resized, it's possible for the OR'ing of\nIORING_SQ_TASKRUN to happen in the small window of swapping into the\nnew rings and the old rings being freed.\n\nPrevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is\nprotected by RCU. The task work flags manipulation is inside RCU\nalready, and if the resize ring freeing is done post an RCU synchronize,\nthen there's no need to add locking to the fast path of task work\nadditions.\n\nNote: this is only done for DEFER_TASKRUN, as that's the only setup mode\nthat supports ring resizing. If this ever changes, then they too need to\nuse the io_ctx_mark_taskrun() helper."}], "id": "CVE-2026-23275", "lastModified": "2026-03-20T09:16:13.223", "metrics": {}, "published": "2026-03-20T09:16:13.223", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7cc4530b3e952d4a5947e1e55d06620d8845d4f5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/96189080265e6bb5dde3a4afbaf947af493e3f82"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T10:23:19.010504+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that introduces the RCU\u2011protected rings pointer to address the race condition.", "If patching is not immediately possible, disable the DEFER_TASKRUN configuration or ring resizing in the io_uring subsystem to eliminate the race window.", "As a temporary measure, avoid using io_uring with ring resizing on affected systems and monitor kernel logs for crashes."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that implement the io_uring subsystem and support the DEFER_TASKRUN configuration are potentially affected. The CPE for the affected software is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. No specific version list is provided in the CVE; any kernel prior to the commit referenced in the patch is considered vulnerable until the patch is applied.", "description_and_impact": "The vulnerability arises when the DEFER_TASKRUN mode is enabled and task work is added while the io_uring ring is being resized. The vendor describes that the OR'ing of the IORING_SQ_TASKRUN flag could happen during the brief window when the new ring swaps in and the old ring is freed, creating a race condition. This race condition may lead to kernel memory corruption or a crash, causing a denial\u2011of\u2011service, although the CVE text does not explicitly state a crash; the impact is inferred from the potential for inconsistent state.", "risk_and_exploitability": "Numerical severity metrics such as CVSS or EPSS are not available, and the vulnerability is not in the CISA KEV catalog. The attack vector is likely local: an attacker with the ability to run a process that creates an io_uring instance with DEFER_TASKRUN enabled can trigger the race condition. The potential for a kernel crash or denial\u2011of\u2011service gives the vulnerability an overall moderate to high risk for systems that allow untrusted local code to use io_uring with ring resizing enabled."}}}}, "created": "2026-03-20T10:36:44.287209+00:00", "updated": "2026-03-20T10:36:44.287235+00:00", "vendors": [], "weaknesses": ["CWE-362"]}