CVE-2025-68294

Root

Cause

The vulnerability arises in the Linux kernel's io_uring subsystem, specifically in the networking path. When support for vectored registered buffers was added, the import operation incorrectly used the req io_kiocb instead of the notification io_kiocb (sr->notif). For non-vectored imports, the correct sr->notif is used. This mismatch can cause the buffer's lifetime to be tied to the wrong object, potentially leading to use-after-free conditions.

Attack

Vector

An attacker with the ability to submit vectored I/O operations (specifically send-to-notification variants) may exploit this bug. The exploit requires local access and the ability to create io_uring instances, which typically requires the CAP_SYS_ADMIN capability or unprivileged access depending on the system configuration. The attack is triggered by submitting a specific vectored registered buffer operation where the buffer node import is not properly bound to the notification.

Impact

If exploited, an attacker could cause a use-after-free of the buffer memory, potentially leading to memory corruption or privilege escalation. The impact is local privilege escalation from an unprivileged user or container, as the io_uring interface allows file descriptor operations without direct kernel access. There is no evidence of active exploitation in the wild.

Mitigation

A patch has been submitted to the Linux kernel mailing list (see reference commit [1]) and is expected in kernel versions after 6.13-rc1. Users should apply the patch or update to a kernel containing the fix. No workaround exists short of disabling io_uring if the system does not require it.