VYPR
← All advisories
High severity7.8NVD Advisory· Published Mar 20, 2026· Updated Apr 2, 2026

CVE-2026-23275

CVE-2026-23275

Description

In the Linux kernel, the following vulnerability has been resolved:

io_uring: ensure ctx->rings is stable for task work flags manipulation

If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being freed.

Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is protected by RCU. The task work flags manipulation is inside RCU already, and if the resize ring freeing is done post an RCU synchronize, then there's no need to add locking to the fast path of task work additions.

Note: this is only done for DEFER_TASKRUN, as that's the only setup mode that supports ring resizing. If this ever changes, then they too need to use the io_ctx_mark_taskrun() helper.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's io_uring, a race condition in task work flags manipulation during ring resizing could cause use-after-free; fixed by RCU-protected rings pointer.

Summary

In the Linux kernel's io_uring subsystem, a race condition in task work flags manipulation during ring resizing can lead to use-after-free; fixed by introducing an RCU-protected rings pointer.

Details

The vulnerability occurs when DEFER_TASKRUN and SETUP_TASKRUN flags are used together with io_uring ring resizing. During the resize operation, the old rings structure is freed after swapping to new rings, but task work flags (IORING_SQ_TASKRUN) may be OR'd onto the old rings concurrently, causing a use-after-free.

To exploit this, an attacker needs local access and the ability to set up io_uring with those flags and trigger ring resizing. The race window is small but could be targeted.

Successful exploitation could result in memory corruption, potentially leading to privilege escalation. The impact is limited to systems with io_uring enabled and specific configuration.

The fix adds a second ->rings pointer (rings_rcu) protected by RCU. Task work flags manipulation already occurs under RCU, so the old rings are freed only after an RCU synchronize, eliminating the race. This fix is applied to the DEFER_TASKRUN mode which supports resizing. The patch has been merged into the Linux kernel stable branches [1][2][3].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.