HIGH
io_uring ZCRX UAF
CVE-2026-45995
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_struct uaf io_free_rbuf_ring() usees a struct user_struct, which io_zcrx_ifq_free() puts it down before destroying the ring.
02KernelScan AI Analysis
Risk summary
Local unprivileged attackers can trigger a use-after-free vulnerability in the io_uring zero-copy receive (ZCRX) teardown path. The bug causes a freed struct user_struct to be accessed for memory accounting during ring cleanup, leading to limited kernel heap corruption and potential kernel panics or system instability.
Vulnerability analysis
The vulnerability exists in io_zcrx_ifq_free(), which calls free_uid(ifq->user) before io_free_rbuf_ring(). The latter function still dereferences ifq->user to uncharge locked_vm memory accounting, resulting in a use-after-free on a uid_cache slab object. The fix reorders the cleanup so that free_uid() is called only after the ring is fully destroyed. The access is deterministic (no race required) and reachable from the io_uring ZCRX cleanup path.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 7.0 | 7.0.4 | 9feb88eeda6d |
| mainline | 7.1-rc1 | 0fcccfd87152 |