HIGH Published 2026-03-20

io_uring TaskRun Race

CVE-2026-23275

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI8.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being freed. Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is protected by RCU. The task work flags manipulation is inside RCU already, and if the resize ring freeing is done post an RCU synchronize, then there's no need to add locking to the fast path of task work additions. Note: this is only done for DEFER_TASKRUN, as that's the only setup mode that supports ring resizing. If this ever changes, then they too need to use the io_ctx_mark_taskrun() helper.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Applications using io_uring with DEFER_TASKRUN and ring resizing are vulnerable to a use-after-free in kernel heap memory. An unprivileged local attacker can trigger a race condition during ring resize operations, leading to memory corruption with potential for privilege escalation, container escape, or system compromise.

Affectedio_uring/tw.c (io_uring subsystem)

Vulnerability analysis

The vulnerability is a use-after-free resulting from a race condition in io_uring's task work flag manipulation during ring resizing. When DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, the OR'ing of IORING_SQ_TASKRUN can access the old rings pointer after it has been freed but before concurrent RCU readers have finished. The fix introduces a second RCU-protected rings pointer (rings_rcu) and adds synchronize_rcu_expedited() before freeing the old ring memory, ensuring the resize path does not reclaim memory that may still be accessed by the fast-path task work handlers. The attack surface is local and unprivileged, requiring only the ability to create an io_uring instance with DEFER_TASKRUN and issue a concurrent ring resize.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.19	`7cc4530b3e95`
6.19	6.19.9	`46dc07d5f314`
mainline	7.0	`96189080265e`