{"id":"CVE-2026-23275","summary":"io_uring: ensure ctx-\u003erings is stable for task work flags manipulation","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: ensure ctx-\u003erings is stable for task work flags manipulation\n\nIf DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while\nthe ring is being resized, it's possible for the OR'ing of\nIORING_SQ_TASKRUN to happen in the small window of swapping into the\nnew rings and the old rings being freed.\n\nPrevent this by adding a 2nd -\u003erings pointer, -\u003erings_rcu, which is\nprotected by RCU. The task work flags manipulation is inside RCU\nalready, and if the resize ring freeing is done post an RCU synchronize,\nthen there's no need to add locking to the fast path of task work\nadditions.\n\nNote: this is only done for DEFER_TASKRUN, as that's the only setup mode\nthat supports ring resizing. If this ever changes, then they too need to\nuse the io_ctx_mark_taskrun() helper.","modified":"2026-04-02T13:12:19.417562Z","published":"2026-03-20T08:08:55.857Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23275.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7cc4530b3e952d4a5947e1e55d06620d8845d4f5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/96189080265e6bb5dde3a4afbaf947af493e3f82"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23275.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23275"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"79cfe9e59c2a12c3b3faeeefe38d23f3d8030972"},{"fixed":"7cc4530b3e952d4a5947e1e55d06620d8845d4f5"},{"fixed":"46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1"},{"fixed":"96189080265e6bb5dde3a4afbaf947af493e3f82"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23275.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.19"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23275.json"}}],"schema_version":"1.7.5"}