CVE-2026-23275

{"id": "CVE-2026-23275", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-03-20T09:16:13.223", "references": [{"url": "https://git.kernel.org/stable/c/46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7cc4530b3e952d4a5947e1e55d06620d8845d4f5", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/96189080265e6bb5dde3a4afbaf947af493e3f82", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: ensure ctx->rings is stable for task work flags manipulation\n\nIf DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while\nthe ring is being resized, it's possible for the OR'ing of\nIORING_SQ_TASKRUN to happen in the small window of swapping into the\nnew rings and the old rings being freed.\n\nPrevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is\nprotected by RCU. The task work flags manipulation is inside RCU\nalready, and if the resize ring freeing is done post an RCU synchronize,\nthen there's no need to add locking to the fast path of task work\nadditions.\n\nNote: this is only done for DEFER_TASKRUN, as that's the only setup mode\nthat supports ring resizing. If this ever changes, then they too need to\nuse the io_ctx_mark_taskrun() helper."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nio_uring: asegurar que ctx->rings sea estable para la manipulaci\u00f3n de las banderas de trabajo de tarea\n\nSi se usa DEFER_TASKRUN | SETUP_TASKRUN y se a\u00f1ade trabajo de tarea mientras el anillo est\u00e1 siendo redimensionado, es posible que la operaci\u00f3n OR de IORING_SQ_TASKRUN ocurra en la peque\u00f1a ventana de intercambio a los nuevos anillos y la liberaci\u00f3n de los anillos antiguos.\n\nEsto se previene a\u00f1adiendo un segundo puntero ->rings, ->rings_rcu, el cual est\u00e1 protegido por RCU. La manipulaci\u00f3n de las banderas de trabajo de tarea ya est\u00e1 dentro de RCU, y si la liberaci\u00f3n del anillo redimensionado se realiza despu\u00e9s de una sincronizaci\u00f3n RCU, entonces no hay necesidad de a\u00f1adir bloqueo a la ruta r\u00e1pida de las adiciones de trabajo de tarea.\n\nNota: esto solo se hace para DEFER_TASKRUN, ya que ese es el \u00fanico modo de configuraci\u00f3n que soporta el redimensionamiento de anillos. Si esto alguna vez cambia, entonces ellos tambi\u00e9n necesitar\u00e1n usar la funci\u00f3n auxiliar io_ctx_mark_taskrun()."}], "lastModified": "2026-05-22T18:16:37.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D394AC60-6F28-435F-872A-CCDF384B8331", "versionEndExcluding": "6.18.19", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E825E7C3-FEAC-4FD3-8A81-78D7387948C9", "versionEndExcluding": "6.19.9", "versionStartIncluding": "6.19"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}