CVE-2022-50639
Description
In the Linux kernel, the following vulnerability has been resolved:
io-wq: Fix memory leak in worker creation
If the CPU mask allocation for a node fails, then the memory allocated for the 'io_wqe' struct of the current node doesn't get freed on the error handling path, since it has not yet been added to the 'wqes' array.
This was spotted when fuzzing v6.1-rc1 with Syzkaller: BUG: memory leak unreferenced object 0xffff8880093d5000 (size 1024): comm "syz-executor.2", pid 7701, jiffies 4295048595 (age 13.900s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000cb463369>] __kmem_cache_alloc_node+0x18e/0x720 [<00000000147a3f9c>] kmalloc_node_trace+0x2a/0x130 [<000000004e107011>] io_wq_create+0x7b9/0xdc0 [<00000000c38b2018>] io_uring_alloc_task_context+0x31e/0x59d [<00000000867399da>] __io_uring_add_tctx_node.cold+0x19/0x1ba [<000000007e0e7a79>] io_uring_setup.cold+0x1b80/0x1dce [<00000000b545e9f6>] __x64_sys_io_uring_setup+0x5d/0x80 [<000000008a8a7508>] do_syscall_64+0x5d/0x90 [<000000004ac08bec>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in Linux kernel's io-wq worker creation occurs when CPU mask allocation fails, leaving the io_wqe struct is not freed.
Vulnerability
In the Linux kernel's io-wq (I/O worker queue) implementation, a memory leak vulnerability exists in the worker creation path. When the io_wq_create function allocates an io_wqe struct for a node, but the subsequent CPU mask allocation for that node fails, the allocated memory for the io_wqe struct is not freed on the error handling path. This is because the io_wqe has not yet been added to the wqes array at that point, so the cleanup code does not release it [1].
Exploitation
The vulnerability can be triggered by invoking the io_uring_setup system call, which eventually calls io_wq_create. An attacker with the ability to make such system calls (e.g., a local user) can cause repeated allocation failures, leading to memory exhaustion. The issue was discovered via fuzzing with Syzkaller on kernel v6.1-rc1 [1].
Impact
An attacker can cause a memory leak, potentially leading to denial of service (system instability or crash) due to exhaustion of kernel memory. The leak is per failed allocation, and repeated exploitation can accumulate significant memory loss [1].
Mitigation
The fix is included in Linux kernel stable updates. The commit 996d3efeb091 addresses the issue by ensuring the io_wqe struct is freed if the CPU mask allocation fails after allocation [1]. Users should apply the latest kernel updates from their distribution.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
3b6e2c54be37ded981911a7c9996d3efeb091Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.