Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45995

Description

In the Linux kernel, the following vulnerability has been resolved:

io_uring/zcrx: fix user_struct uaf

io_free_rbuf_ring() usees a struct user_struct, which io_zcrx_ifq_free() puts it down before destroying the ring.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in the Linux kernel's io_uring/zcrx subsystem occurs when io_free_rbuf_ring() accesses a freed user_struct.

Vulnerability

In the Linux kernel, the io_uring/zcrx subsystem contains a use-after-free vulnerability. The function io_free_rbuf_ring() accesses a struct user_struct pointer, but io_zcrx_ifq_free() decrements the reference count on that same user_struct before destroying the ring buffer. This ordering error means the user_struct can be freed while still in use, leading to a use-after-free condition. The exact affected kernel versions are not explicitly listed in the available references, but the fix is applied in a commit to the stable tree [1].

Exploitation

An attacker would need the ability to trigger the vulnerable code path, which requires local access and the capability to create and tear down io_uring instances with zero-copy RX rings. The race or ordering condition is triggered by normal operations that lead to io_zcrx_ifq_free() being called before io_free_rbuf_ring() completes its use of the user_struct. No specific user interaction beyond running such operations is mentioned in the references [1].

Impact

Successful exploitation could result in a use-after-free of a kernel user_struct, potentially leading to a denial of service (system crash or memory corruption) or possibly privilege escalation, depending on how the freed memory is reused. The impact is context-dependent but generally considered high for system stability and security.

Mitigation

The fix has been applied in the Linux kernel stable tree via commit 9feb88eeda6d288f93fcfb6bca563f89e316479d [1]. Users should update to a kernel version that includes this commit. No workaround is provided in the references. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References

Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linux/Kernelllm-fuzzy

Patches

9feb88eeda6d

io_uring/zcrx: fix user_struct uaf

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitPavel BegunkovApr 21, 2026Fixed in 7.0.4via kernel-cna

commit

2 files changed · +2 −4

io_uring/zcrx.c+1 −2 modified

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 51a446a953d496..af4b88e106abf4 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -565,13 +565,13 @@ static void io_zcrx_ifq_free(struct io_zcrx_ifq *ifq)
 
 	if (ifq->area)
 		io_zcrx_free_area(ifq, ifq->area);
-	free_uid(ifq->user);
 	if (ifq->mm_account)
 		mmdrop(ifq->mm_account);
 	if (ifq->dev)
 		put_device(ifq->dev);
 
 	io_free_rbuf_ring(ifq);
+	free_uid(ifq->user);
 	mutex_destroy(&ifq->pp_lock);
 	kfree(ifq);
 }
-- 
cgit 1.3-korg

io_uring/zcrx.c+1 −2 modified

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 51a446a953d496..af4b88e106abf4 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -565,13 +565,13 @@ static void io_zcrx_ifq_free(struct io_zcrx_ifq *ifq)
 
 	if (ifq->area)
 		io_zcrx_free_area(ifq, ifq->area);
-	free_uid(ifq->user);
 	if (ifq->mm_account)
 		mmdrop(ifq->mm_account);
 	if (ifq->dev)
 		put_device(ifq->dev);
 
 	io_free_rbuf_ring(ifq);
+	free_uid(ifq->user);
 	mutex_destroy(&ifq->pp_lock);
 	kfree(ifq);
 }
-- 
cgit 1.3-korg

0fcccfd87152

io_uring/zcrx: fix user_struct uaf

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitPavel BegunkovApr 21, 2026Fixed in 7.1-rc1via kernel-cna

commit

2 files changed · +2 −4

io_uring/zcrx.c+1 −2 modified

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 9a83d7eb4210e2..fab3693ecb0d61 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -579,13 +579,13 @@ static void io_zcrx_ifq_free(struct io_zcrx_ifq *ifq)
 
 	if (ifq->area)
 		io_zcrx_free_area(ifq, ifq->area);
-	free_uid(ifq->user);
 	if (ifq->mm_account)
 		mmdrop(ifq->mm_account);
 	if (ifq->dev)
 		put_device(ifq->dev);
 
 	io_free_rbuf_ring(ifq);
+	free_uid(ifq->user);
 	mutex_destroy(&ifq->pp_lock);
 	kfree(ifq);
 }
-- 
cgit 1.3-korg

io_uring/zcrx.c+1 −2 modified

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 9a83d7eb4210e2..fab3693ecb0d61 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -579,13 +579,13 @@ static void io_zcrx_ifq_free(struct io_zcrx_ifq *ifq)
 
 	if (ifq->area)
 		io_zcrx_free_area(ifq, ifq->area);
-	free_uid(ifq->user);
 	if (ifq->mm_account)
 		mmdrop(ifq->mm_account);
 	if (ifq->dev)
 		put_device(ifq->dev);
 
 	io_free_rbuf_ring(ifq);
+	free_uid(ifq->user);
 	mutex_destroy(&ifq->pp_lock);
 	kfree(ifq);
 }
-- 
cgit 1.3-korg

0fcccfd87152

io_uring/zcrx: fix user_struct uaf

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitPavel BegunkovApr 21, 2026via nvd-ref

commit

2 files changed · +2 −4

io_uring/zcrx.c+1 −2 modified

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 9a83d7eb4210e2..fab3693ecb0d61 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -579,13 +579,13 @@ static void io_zcrx_ifq_free(struct io_zcrx_ifq *ifq)
 
 	if (ifq->area)
 		io_zcrx_free_area(ifq, ifq->area);
-	free_uid(ifq->user);
 	if (ifq->mm_account)
 		mmdrop(ifq->mm_account);
 	if (ifq->dev)
 		put_device(ifq->dev);
 
 	io_free_rbuf_ring(ifq);
+	free_uid(ifq->user);
 	mutex_destroy(&ifq->pp_lock);
 	kfree(ifq);
 }
-- 
cgit 1.3-korg

io_uring/zcrx.c+1 −2 modified

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 9a83d7eb4210e2..fab3693ecb0d61 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -579,13 +579,13 @@ static void io_zcrx_ifq_free(struct io_zcrx_ifq *ifq)
 
 	if (ifq->area)
 		io_zcrx_free_area(ifq, ifq->area);
-	free_uid(ifq->user);
 	if (ifq->mm_account)
 		mmdrop(ifq->mm_account);
 	if (ifq->dev)
 		put_device(ifq->dev);
 
 	io_free_rbuf_ring(ifq);
+	free_uid(ifq->user);
 	mutex_destroy(&ifq->pp_lock);
 	kfree(ifq);
 }
-- 
cgit 1.3-korg

9feb88eeda6d

io_uring/zcrx: fix user_struct uaf

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitPavel BegunkovApr 21, 2026via nvd-ref

commit

2 files changed · +2 −4

io_uring/zcrx.c+1 −2 modified

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 51a446a953d496..af4b88e106abf4 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -565,13 +565,13 @@ static void io_zcrx_ifq_free(struct io_zcrx_ifq *ifq)
 
 	if (ifq->area)
 		io_zcrx_free_area(ifq, ifq->area);
-	free_uid(ifq->user);
 	if (ifq->mm_account)
 		mmdrop(ifq->mm_account);
 	if (ifq->dev)
 		put_device(ifq->dev);
 
 	io_free_rbuf_ring(ifq);
+	free_uid(ifq->user);
 	mutex_destroy(&ifq->pp_lock);
 	kfree(ifq);
 }
-- 
cgit 1.3-korg

io_uring/zcrx.c+1 −2 modified

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 51a446a953d496..af4b88e106abf4 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -565,13 +565,13 @@ static void io_zcrx_ifq_free(struct io_zcrx_ifq *ifq)
 
 	if (ifq->area)
 		io_zcrx_free_area(ifq, ifq->area);
-	free_uid(ifq->user);
 	if (ifq->mm_account)
 		mmdrop(ifq->mm_account);
 	if (ifq->dev)
 		put_device(ifq->dev);
 
 	io_free_rbuf_ring(ifq);
+	free_uid(ifq->user);
 	mutex_destroy(&ifq->pp_lock);
 	kfree(ifq);
 }
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Use-after-free: `free_uid(ifq->user)` is called before `io_free_rbuf_ring(ifq)`, but `io_free_rbuf_ring()` still accesses the same `struct user_struct`, leading to a use-after-free condition."

Attack vector

An attacker triggers this bug by setting up an io_uring zero-copy RX interface (`io_zcrx_ifq`) and then tearing it down. During teardown, `io_zcrx_ifq_free()` calls `free_uid(ifq->user)` to release the user_struct reference, but then calls `io_free_rbuf_ring(ifq)` which internally uses the same already-freed `user_struct`. This use-after-free can be exploited to corrupt kernel memory. No special privileges beyond the ability to create io_uring interfaces are required [patch_id=2660601].

Affected code

The vulnerable function is `io_zcrx_ifq_free()` in `io_uring/zcrx.c` [patch_id=2660601]. The bug is an ordering error: `free_uid(ifq->user)` was placed before `io_free_rbuf_ring(ifq)`, but the latter function also accesses `ifq->user`.

What the fix does

The patch moves the `free_uid(ifq->user)` call from before `io_free_rbuf_ring(ifq)` to after it, inside `io_zcrx_ifq_free()` [patch_id=2660601]. This ensures the `struct user_struct` remains valid while `io_free_rbuf_ring()` still references it. The fix is a single-line reordering — no other logic changes are needed.

Preconditions

configThe attacker must be able to create and tear down an io_uring zero-copy RX interface (io_zcrx_ifq).
authNo special privileges beyond standard io_uring access are required.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000