CVE-2026-23275 (GCVE-0-2026-23275)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-03-20 08:08
VLAI?
Title
io_uring: ensure ctx->rings is stable for task work flags manipulation
Summary
In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being freed. Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is protected by RCU. The task work flags manipulation is inside RCU already, and if the resize ring freeing is done post an RCU synchronize, then there's no need to add locking to the fast path of task work additions. Note: this is only done for DEFER_TASKRUN, as that's the only setup mode that supports ring resizing. If this ever changes, then they too need to use the io_ctx_mark_taskrun() helper.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 79cfe9e59c2a12c3b3faeeefe38d23f3d8030972 , < 7cc4530b3e952d4a5947e1e55d06620d8845d4f5 (git)
Affected: 79cfe9e59c2a12c3b3faeeefe38d23f3d8030972 , < 46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1 (git)
Affected: 79cfe9e59c2a12c3b3faeeefe38d23f3d8030972 , < 96189080265e6bb5dde3a4afbaf947af493e3f82 (git)
Create a notification for this product.
    Linux Linux Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.18.19 , ≤ 6.18.* (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0-rc4 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/io_uring_types.h",
            "io_uring/io_uring.c",
            "io_uring/register.c",
            "io_uring/tw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7cc4530b3e952d4a5947e1e55d06620d8845d4f5",
              "status": "affected",
              "version": "79cfe9e59c2a12c3b3faeeefe38d23f3d8030972",
              "versionType": "git"
            },
            {
              "lessThan": "46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1",
              "status": "affected",
              "version": "79cfe9e59c2a12c3b3faeeefe38d23f3d8030972",
              "versionType": "git"
            },
            {
              "lessThan": "96189080265e6bb5dde3a4afbaf947af493e3f82",
              "status": "affected",
              "version": "79cfe9e59c2a12c3b3faeeefe38d23f3d8030972",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/io_uring_types.h",
            "io_uring/io_uring.c",
            "io_uring/register.c",
            "io_uring/tw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0-rc4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0-rc4",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: ensure ctx-\u003erings is stable for task work flags manipulation\n\nIf DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while\nthe ring is being resized, it\u0027s possible for the OR\u0027ing of\nIORING_SQ_TASKRUN to happen in the small window of swapping into the\nnew rings and the old rings being freed.\n\nPrevent this by adding a 2nd -\u003erings pointer, -\u003erings_rcu, which is\nprotected by RCU. The task work flags manipulation is inside RCU\nalready, and if the resize ring freeing is done post an RCU synchronize,\nthen there\u0027s no need to add locking to the fast path of task work\nadditions.\n\nNote: this is only done for DEFER_TASKRUN, as that\u0027s the only setup mode\nthat supports ring resizing. If this ever changes, then they too need to\nuse the io_ctx_mark_taskrun() helper."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T08:08:55.857Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7cc4530b3e952d4a5947e1e55d06620d8845d4f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1"
        },
        {
          "url": "https://git.kernel.org/stable/c/96189080265e6bb5dde3a4afbaf947af493e3f82"
        }
      ],
      "title": "io_uring: ensure ctx-\u003erings is stable for task work flags manipulation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23275",
    "datePublished": "2026-03-20T08:08:55.857Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-03-20T08:08:55.857Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23275\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-03-20T09:16:13.223\",\"lastModified\":\"2026-03-20T13:37:50.737\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring: ensure ctx-\u003erings is stable for task work flags manipulation\\n\\nIf DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while\\nthe ring is being resized, it\u0027s possible for the OR\u0027ing of\\nIORING_SQ_TASKRUN to happen in the small window of swapping into the\\nnew rings and the old rings being freed.\\n\\nPrevent this by adding a 2nd -\u003erings pointer, -\u003erings_rcu, which is\\nprotected by RCU. The task work flags manipulation is inside RCU\\nalready, and if the resize ring freeing is done post an RCU synchronize,\\nthen there\u0027s no need to add locking to the fast path of task work\\nadditions.\\n\\nNote: this is only done for DEFER_TASKRUN, as that\u0027s the only setup mode\\nthat supports ring resizing. If this ever changes, then they too need to\\nuse the io_ctx_mark_taskrun() helper.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\nio_uring: asegurar que ctx-\u0026gt;rings sea estable para la manipulaci\u00f3n de las banderas de trabajo de tarea\\n\\nSi se usa DEFER_TASKRUN | SETUP_TASKRUN y se a\u00f1ade trabajo de tarea mientras el anillo est\u00e1 siendo redimensionado, es posible que la operaci\u00f3n OR de IORING_SQ_TASKRUN ocurra en la peque\u00f1a ventana de intercambio a los nuevos anillos y la liberaci\u00f3n de los anillos antiguos.\\n\\nEsto se previene a\u00f1adiendo un segundo puntero -\u0026gt;rings, -\u0026gt;rings_rcu, el cual est\u00e1 protegido por RCU. La manipulaci\u00f3n de las banderas de trabajo de tarea ya est\u00e1 dentro de RCU, y si la liberaci\u00f3n del anillo redimensionado se realiza despu\u00e9s de una sincronizaci\u00f3n RCU, entonces no hay necesidad de a\u00f1adir bloqueo a la ruta r\u00e1pida de las adiciones de trabajo de tarea.\\n\\nNota: esto solo se hace para DEFER_TASKRUN, ya que ese es el \u00fanico modo de configuraci\u00f3n que soporta el redimensionamiento de anillos. Si esto alguna vez cambia, entonces ellos tambi\u00e9n necesitar\u00e1n usar la funci\u00f3n auxiliar io_ctx_mark_taskrun().\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7cc4530b3e952d4a5947e1e55d06620d8845d4f5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/96189080265e6bb5dde3a4afbaf947af493e3f82\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.