The root cause of the bug is a misuse of the identity model in io_uring. When preparing a request, the kernel uses the identity of the current task instead of that of the request task, which causes type confusion and invalid-free when the request is being destroyed.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2090718]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
This was fixed for Fedora with the 5.12 kernel rebases.