CVE-2026-23275— io_uring: ensure ctx->rings is stable for task work flags manipulation
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23275
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
io_uring: ensure ctx->rings is stable for task work flags manipulation
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being freed. Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is protected by RCU. The task work flags manipulation is inside RCU already, and if the resize ring freeing is done post an RCU synchronize, then there's no need to add locking to the fast path of task work additions. Note: this is only done for DEFER_TASKRUN, as that's the only setup mode that supports ring resizing. If this ever changes, then they too need to use the io_ctx_mark_taskrun() helper.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于io_uring在任务工作标志操作期间ctx->rings指针不稳定,可能导致任务工作标志操作访问已释放内存。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-23275
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23275
请登录查看更多情报信息。
Same Patch Batch · Linux · 2026-03-20 · 8 CVEs total
| CVE-2026-23278 | 7.8 HIGH | netfilter: nf_tables: always walk all pending catchall elements |
| CVE-2026-23274 | 7.8 HIGH | netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels |
| CVE-2026-23273 | 7.8 HIGH | macvlan: observe an RCU grace period in macvlan_common_newlink() error path |
| CVE-2026-23272 | 7.8 HIGH | netfilter: nf_tables: unconditionally bump set->nelems before insertion |
| CVE-2026-23271 | 7.8 HIGH | perf: Fix __perf_event_overflow() vs perf_remove_from_context() race |
| CVE-2026-23276 | net: add xmit recursion limit to tunnel xmit functions | |
| CVE-2026-23277 | net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit |
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2026-23275
No comments yet