CVE-2025-68317

Vulnerability

Description

A vulnerability was discovered in the Linux kernel's io_uring subsystem, specifically in the zero-copy transmit (zc) handling. The function io_uring/zctx did not properly verify that chained notification contexts (ubuf_info) originate from the same request context. The commit message notes that there were ambiguous syz reports, prompting the addition of a check on notification completion to ensure the assumption holds [1].

Exploitation

To exploit this issue, an attacker would need local access to the system and the ability to submit io_uring requests with zero-copy transmit operations. By crafting a sequence of chained notifications from different contexts, the attacker could trigger a mismatch, potentially leading to a use-after-free or memory corruption condition. The vulnerability is considered a security issue because it can be triggered by unprivileged users with io_uring access.

Impact

If successfully exploited, an attacker could achieve memory corruption within the kernel, potentially leading to privilege escalation, denial of service, or information disclosure. The impact depends on the specific kernel configuration and the attacker's ability to control the corrupted memory.

Mitigation

The fix has been applied in the Linux kernel stable tree via commit d664a3ce3a604231a0b144c152a3755d03b18b60 [1]. Users are advised to update to a patched kernel version to mitigate the risk.