2449558 – (CVE-2026-23275) CVE-2026-23275 kernel: io_uring: ensure ctx->rings is stable for task work flags manipulation

Bug 2449558 (CVE-2026-23275) - CVE-2026-23275 kernel: io_uring: ensure ctx->rings is stable for task work flags manipulation

Summary: CVE-2026-23275 kernel: io_uring: ensure ctx->rings is stable for task work fl...

Keywords:
Status:	NEW
Alias:	CVE-2026-23275
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-20 09:02 UTC by OSIDB Bzimport
Modified:	2026-03-20 18:09 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-20 09:02:23 UTC

In the Linux kernel, the following vulnerability has been resolved:

io_uring: ensure ctx->rings is stable for task work flags manipulation

If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while
the ring is being resized, it's possible for the OR'ing of
IORING_SQ_TASKRUN to happen in the small window of swapping into the
new rings and the old rings being freed.

Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is
protected by RCU. The task work flags manipulation is inside RCU
already, and if the resize ring freeing is done post an RCU synchronize,
then there's no need to add locking to the fast path of task work
additions.

Note: this is only done for DEFER_TASKRUN, as that's the only setup mode
that supports ring resizing. If this ever changes, then they too need to
use the io_ctx_mark_taskrun() helper.

Comment 1 Alexander B 2026-03-20 12:08:38 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026032035-CVE-2026-23275-33fe@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.