HIGH
io_uring Buffer Race
CVE-2026-43366
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.0HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: check if target buffer list is still legacy on recycle There's a gap between when the buffer was grabbed and when it potentially gets recycled, where if the list is empty, someone could've upgraded it to a ring provided type. This can happen if the request is forced via io-wq. The legacy recycling is missing checking if the buffer_list still exists, and if it's of the correct type. Add those checks.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can exploit a race condition in io_uring buffer recycling to cause use-after-free. This affects systems running untrusted code or multi-tenant environments where io_uring is accessible to unprivileged users.
Vulnerability analysis
The vulnerability is a race condition in io_uring's buffer recycling mechanism that leads to use-after-free. When a buffer is grabbed from a legacy buffer list and later recycled via io-wq, there's a time gap where another thread could upgrade the buffer list from legacy type to ring-mapped type or remove it entirely. The original code in io_kbuf_recycle_legacy() blindly added the buffer to a list that may have been freed/replaced, and failed to clear req->kbuf, leading to potential use-after-free. The fix adds proper validation to check if the buffer list exists and is still a legacy type before recycling, and properly clears req->kbuf to prevent dangling pointer access.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.167 | a7b33671e418 |
| 6.12 | 6.12.78 | f3fb54e7a8b4 |
| 6.18 | 6.18.19 | 50ad880db301 |
| 6.19 | 6.19.9 | 97b57f69fee1 |
| 6.6 | 6.6.130 | 439a6728ec46 |
| mainline | 7.0 | c2c185be5c85 |