Unrated severityNVD Advisory· Published Jun 9, 2026

CVE-2026-46315

Description

Linux kernel io_uring/waitid vulnerability exposes stale data due to uninitialized struct fields, potentially leading to information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel io_uring/waitid vulnerability exposes stale data due to uninitialized struct fields, potentially leading to information disclosure.

Vulnerability

In the Linux kernel, the io_uring/waitid subsystem is affected by a vulnerability where the struct io_waitid::info field is not properly initialized before being copied to userspace. This occurs when a wait operation completes without reporting a child event, and the common wait code returns without writing to wo_info. In such cases, io_io_uring_finish() copies stale bytes from reused command storage to userspace, unlike the regular waitid syscall which uses a zero-initialized struct waitid_info [1].

Exploitation

An attacker would need to trigger a specific condition within the io_uring subsystem where a wait operation completes without a child event. This could potentially be achieved by a local user with the ability to initiate io_uring operations. The vulnerability lies in the io_uring path's failure to clear the info struct during the preparation phase, leading to the exposure of previously stored data [1].

Impact

Successful exploitation of this vulnerability could lead to information disclosure. Stale bytes from previously used command storage might be copied to userspace, potentially revealing sensitive data that was present in that memory location. The scope of the compromise would be limited to the privileges of the user triggering the io_uring operation [1].

Mitigation

This vulnerability has been resolved in the Linux kernel by clearing the result storage during the preparation phase of the io_uring wait operation. The specific commit that addresses this issue is available in the kernel's stable git repository [1]. No specific fixed version is mentioned, but the fix is present in the referenced commit. No workarounds are disclosed in the available references.

References

Making sure you're not a bot!

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Google/Android SDKinferred
Linux/Kernelllm-fuzzy

Patches

4d2a0de611ab

io_uring/waitid: clear waitid info before copying it to userspace

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHeechan KangMay 16, 2026Fixed in 7.0.11via kernel-cna

commit

1 file changed · +1 −1

io_uring/waitid.c+1 −1 modified

diff --git a/io_uring/waitid.c b/io_uring/waitid.c
index d25d60aed6afc..32f68fd7fcdda 100644
--- a/io_uring/waitid.c
+++ b/io_uring/waitid.c
@@ -275,6 +275,7 @@ int io_waitid_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	iw->options = READ_ONCE(sqe->file_index);
 	iw->head = NULL;
 	iw->infop = u64_to_user_ptr(READ_ONCE(sqe->addr2));
+	memset(&iw->info, 0, sizeof(iw->info));
 	return 0;
 }
 
-- 
cgit 1.3-korg

954518e5a4a5

io_uring/waitid: clear waitid info before copying it to userspace

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHeechan KangMay 16, 2026Fixed in 6.12.92via kernel-cna

commit

1 file changed · +1 −1

io_uring/waitid.c+1 −1 modified

diff --git a/io_uring/waitid.c b/io_uring/waitid.c
index ecaa358d0ad87..ef2283728c2b3 100644
--- a/io_uring/waitid.c
+++ b/io_uring/waitid.c
@@ -294,6 +294,7 @@ int io_waitid_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	iw->upid = READ_ONCE(sqe->fd);
 	iw->options = READ_ONCE(sqe->file_index);
 	iw->infop = u64_to_user_ptr(READ_ONCE(sqe->addr2));
+	memset(&iw->info, 0, sizeof(iw->info));
 	return 0;
 }
 
-- 
cgit 1.3-korg

b737c6612c60

io_uring/waitid: clear waitid info before copying it to userspace

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHeechan KangMay 16, 2026Fixed in 6.18.34via kernel-cna

commit

1 file changed · +1 −1

io_uring/waitid.c+1 −1 modified

diff --git a/io_uring/waitid.c b/io_uring/waitid.c
index 53532ae6256ca..921b4de3a31cb 100644
--- a/io_uring/waitid.c
+++ b/io_uring/waitid.c
@@ -258,6 +258,7 @@ int io_waitid_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	iw->upid = READ_ONCE(sqe->fd);
 	iw->options = READ_ONCE(sqe->file_index);
 	iw->infop = u64_to_user_ptr(READ_ONCE(sqe->addr2));
+	memset(&iw->info, 0, sizeof(iw->info));
 	return 0;
 }
 
-- 
cgit 1.3-korg

93d93f5f8da7

io_uring/waitid: clear waitid info before copying it to userspace

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHeechan KangMay 16, 2026Fixed in 7.1-rc5via kernel-cna

commit

1 file changed · +1 −1

io_uring/waitid.c+1 −1 modified

diff --git a/io_uring/waitid.c b/io_uring/waitid.c
index d25d60aed6afc..32f68fd7fcdda 100644
--- a/io_uring/waitid.c
+++ b/io_uring/waitid.c
@@ -275,6 +275,7 @@ int io_waitid_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	iw->options = READ_ONCE(sqe->file_index);
 	iw->head = NULL;
 	iw->infop = u64_to_user_ptr(READ_ONCE(sqe->addr2));
+	memset(&iw->info, 0, sizeof(iw->info));
 	return 0;
 }
 
-- 
cgit 1.3-korg

b737c6612c60

io_uring/waitid: clear waitid info before copying it to userspace

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHeechan KangMay 16, 2026via nvd-ref

commit

1 file changed · +1 −1

io_uring/waitid.c+1 −1 modified

diff --git a/io_uring/waitid.c b/io_uring/waitid.c
index 53532ae6256ca..921b4de3a31cb 100644
--- a/io_uring/waitid.c
+++ b/io_uring/waitid.c
@@ -258,6 +258,7 @@ int io_waitid_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	iw->upid = READ_ONCE(sqe->fd);
 	iw->options = READ_ONCE(sqe->file_index);
 	iw->infop = u64_to_user_ptr(READ_ONCE(sqe->addr2));
+	memset(&iw->info, 0, sizeof(iw->info));
 	return 0;
 }
 
-- 
cgit 1.3-korg

4d2a0de611ab

io_uring/waitid: clear waitid info before copying it to userspace

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHeechan KangMay 16, 2026via nvd-ref

commit

1 file changed · +1 −1

io_uring/waitid.c+1 −1 modified

diff --git a/io_uring/waitid.c b/io_uring/waitid.c
index d25d60aed6afc..32f68fd7fcdda 100644
--- a/io_uring/waitid.c
+++ b/io_uring/waitid.c
@@ -275,6 +275,7 @@ int io_waitid_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	iw->options = READ_ONCE(sqe->file_index);
 	iw->head = NULL;
 	iw->infop = u64_to_user_ptr(READ_ONCE(sqe->addr2));
+	memset(&iw->info, 0, sizeof(iw->info));
 	return 0;
 }
 
-- 
cgit 1.3-korg

93d93f5f8da7

io_uring/waitid: clear waitid info before copying it to userspace

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHeechan KangMay 16, 2026via nvd-ref

commit

1 file changed · +1 −1

io_uring/waitid.c+1 −1 modified

diff --git a/io_uring/waitid.c b/io_uring/waitid.c
index d25d60aed6afc..32f68fd7fcdda 100644
--- a/io_uring/waitid.c
+++ b/io_uring/waitid.c
@@ -275,6 +275,7 @@ int io_waitid_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	iw->options = READ_ONCE(sqe->file_index);
 	iw->head = NULL;
 	iw->infop = u64_to_user_ptr(READ_ONCE(sqe->addr2));
+	memset(&iw->info, 0, sizeof(iw->info));
 	return 0;
 }
 
-- 
cgit 1.3-korg

954518e5a4a5

io_uring/waitid: clear waitid info before copying it to userspace

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHeechan KangMay 16, 2026via nvd-ref

commit

1 file changed · +1 −1

io_uring/waitid.c+1 −1 modified

diff --git a/io_uring/waitid.c b/io_uring/waitid.c
index ecaa358d0ad87..ef2283728c2b3 100644
--- a/io_uring/waitid.c
+++ b/io_uring/waitid.c
@@ -294,6 +294,7 @@ int io_waitid_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	iw->upid = READ_ONCE(sqe->fd);
 	iw->options = READ_ONCE(sqe->file_index);
 	iw->infop = u64_to_user_ptr(READ_ONCE(sqe->addr2));
+	memset(&iw->info, 0, sizeof(iw->info));
 	return 0;
 }
 
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"The io_uring IORING_OP_WAITID operation does not initialize the result structure before copying it to userspace, leading to the exposure of stale data."

Attack vector

An attacker can trigger this vulnerability by initiating an IORING_OP_WAITID operation. If the wait operation completes without reporting a child event, the common wait code may return without writing the wo_info field. Subsequently, the io_uring path incorrectly copies uninitialized data from the reused command storage to userspace.

Affected code

The vulnerability resides in the `io_uring/waitid.c` file, specifically within the `io_waitid_prep` function. The `IORING_OP_WAITID` operation stores its results in `struct io_waitid::info` and copies them to userspace. The issue arises because this `info` structure is not initialized during the preparation phase.

What the fix does

The patch introduces a call to `memset(&iw->info, 0, sizeof(iw->info))` within the `io_waitid_prep` function [patch_id=5322839]. This ensures that the `info` structure, which holds the waitid results, is zero-initialized before any potential copy to userspace. This aligns the io_uring path with the behavior of the regular waitid syscall, preventing the exposure of stale data.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000