CVE-2025-71149: Linux Kernel io_uring Poll Vulnerability

CVE-2025-71149 Overview

A vulnerability has been resolved in the Linux kernel related to the io_uring subsystem's poll mechanism. Specifically, the io_poll_add() function's return value is not correctly handled during POLL_REMOVE operations with updates. When the io_uring core was updated to handle completions consistently with fixed return codes, the POLL_REMOVE opcode with updates became partially broken.

The issue manifests when a POLL_ADD is pending and POLL_REMOVE is used to update the events of that request. If the update causes the POLL_ADD to trigger, the completion is lost and a Completion Queue Entry (CQE) is never posted. Additionally, when an update causes an existing POLL_ADD to complete, the completion value is incorrectly overwritten with -ECANCELED instead of retaining the value set by io_poll_add().

Critical Impact
Applications using io_uring poll operations may experience lost completions and incorrect error codes, potentially leading to application hangs or unexpected behavior in I/O-intensive workloads.

Affected Products

Linux Kernel (io_uring subsystem)
Systems utilizing io_uring for asynchronous I/O operations
Applications depending on POLL_ADD/POLL_REMOVE event handling

Discovery Timeline

2026-01-23 - CVE CVE-2025-71149 published to NVD
2026-01-26 - Last updated in NVD database

Technical Details for CVE-2025-71149

Vulnerability Analysis

This vulnerability exists within the Linux kernel's io_uring subsystem, which provides high-performance asynchronous I/O capabilities. The io_uring interface uses submission and completion queues to handle I/O operations efficiently, and poll operations allow applications to wait for events on file descriptors.

The bug was introduced when the io_uring core was refactored to handle completions more consistently with standardized return codes. During this refactoring, the interaction between POLL_ADD and POLL_REMOVE opcodes was inadvertently broken.

The vulnerability creates two distinct failure modes:

Lost Completions: When POLL_REMOVE is used to update the events of a pending POLL_ADD request, and that update triggers the poll condition, the completion notification is lost. The application never receives the CQE it expects, which can cause indefinite waits or application hangs.
Incorrect Error Codes: When an update causes a POLL_ADD to complete, the completion value is unconditionally overwritten with -ECANCELED. This masks the actual result that io_poll_add() intended to return, causing applications to misinterpret successful operations as cancellations.

Root Cause

The root cause lies in improper handling of the return value from io_poll_add() during poll update operations. When the io_uring core was updated for consistent completion handling, the code path for POLL_REMOVE with updates failed to properly propagate the completion status from io_poll_add(). The function's return value indicates whether the poll condition was immediately satisfied, but this information was being discarded or overwritten during update operations.

Attack Vector

This is a logic error vulnerability in the Linux kernel that primarily affects system stability and application correctness rather than security directly. The attack vector involves:

An application using io_uring submits a POLL_ADD request for a file descriptor
Before the poll completes, a POLL_REMOVE operation with an update is issued to modify the events being monitored
If the new event mask causes the poll condition to be immediately satisfied, the completion is lost
The application waits indefinitely for a CQE that will never arrive, or receives an incorrect -ECANCELED status

While this vulnerability does not directly enable privilege escalation or code execution, it could potentially be leveraged as part of a denial-of-service condition by causing critical applications to hang or malfunction.

Detection Methods for CVE-2025-71149

Indicators of Compromise

Applications using io_uring experiencing unexplained hangs during poll update operations
Increased occurrence of -ECANCELED errors from io_uring poll operations without corresponding cancellation requests
Missing CQE entries in io_uring completion queues after POLL_REMOVE with update operations

Detection Strategies

Monitor system logs for io_uring-related errors or warnings indicating poll completion anomalies
Implement application-level tracing for io_uring operations to identify missing completions
Use kernel tracing tools (ftrace, perf) to monitor io_poll_add() return values and CQE posting behavior
Deploy SentinelOne Singularity Platform for comprehensive kernel-level monitoring and anomaly detection

Monitoring Recommendations

Enable io_uring-specific tracepoints in the kernel for debugging affected systems
Monitor application performance metrics for unexpected latency spikes in I/O operations
Review application crash dumps and hang reports for patterns consistent with this vulnerability
Implement timeout mechanisms in applications using io_uring poll operations as a defensive measure

How to Mitigate CVE-2025-71149

Immediate Actions Required

Update to a patched Linux kernel version that includes the fix for this vulnerability
Review applications using io_uring poll update functionality for potential exposure
Consider implementing application-level workarounds to avoid POLL_REMOVE with updates until patching is complete
Monitor critical applications for signs of poll completion loss or incorrect error codes

Patch Information

The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that:

Completions from io_poll_add() during update operations are properly posted to the completion queue
The completion value set by io_poll_add() is retained and not overwritten with -ECANCELED

Multiple kernel commits have been published to address this issue across stable kernel branches:

Workarounds

Avoid using POLL_REMOVE with updates on pending POLL_ADD requests until the kernel is patched
Implement timeout-based fallback mechanisms in applications to detect and recover from lost completions
Consider using alternative polling mechanisms (epoll, select) for critical applications until patching is complete
Add application-level retry logic for poll operations that return unexpected -ECANCELED errors

bash

# Check current kernel version
uname -r

# Update kernel on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade linux-image-generic

# Update kernel on RHEL/CentOS systems
sudo yum update kernel

# Verify the patch is applied by checking kernel version after reboot
uname -r

CVE-2025-71149 Overview

Critical Impact
Applications using io_uring poll operations may experience lost completions and incorrect error codes, potentially leading to application hangs or unexpected behavior in I/O-intensive workloads.

Affected Products

Linux Kernel (io_uring subsystem)
Systems utilizing io_uring for asynchronous I/O operations
Applications depending on POLL_ADD/POLL_REMOVE event handling

Discovery Timeline

2026-01-23 - CVE CVE-2025-71149 published to NVD
2026-01-26 - Last updated in NVD database

Technical Details for CVE-2025-71149

Vulnerability Analysis

The vulnerability creates two distinct failure modes:

Lost Completions: When POLL_REMOVE is used to update the events of a pending POLL_ADD request, and that update triggers the poll condition, the completion notification is lost. The application never receives the CQE it expects, which can cause indefinite waits or application hangs.
Incorrect Error Codes: When an update causes a POLL_ADD to complete, the completion value is unconditionally overwritten with -ECANCELED. This masks the actual result that io_poll_add() intended to return, causing applications to misinterpret successful operations as cancellations.

Root Cause

Attack Vector

This is a logic error vulnerability in the Linux kernel that primarily affects system stability and application correctness rather than security directly. The attack vector involves:

An application using io_uring submits a POLL_ADD request for a file descriptor
Before the poll completes, a POLL_REMOVE operation with an update is issued to modify the events being monitored
If the new event mask causes the poll condition to be immediately satisfied, the completion is lost
The application waits indefinitely for a CQE that will never arrive, or receives an incorrect -ECANCELED status

Detection Methods for CVE-2025-71149

Indicators of Compromise

Applications using io_uring experiencing unexplained hangs during poll update operations
Increased occurrence of -ECANCELED errors from io_uring poll operations without corresponding cancellation requests
Missing CQE entries in io_uring completion queues after POLL_REMOVE with update operations

Detection Strategies

Monitor system logs for io_uring-related errors or warnings indicating poll completion anomalies
Implement application-level tracing for io_uring operations to identify missing completions
Use kernel tracing tools (ftrace, perf) to monitor io_poll_add() return values and CQE posting behavior
Deploy SentinelOne Singularity Platform for comprehensive kernel-level monitoring and anomaly detection

Monitoring Recommendations

Enable io_uring-specific tracepoints in the kernel for debugging affected systems
Monitor application performance metrics for unexpected latency spikes in I/O operations
Review application crash dumps and hang reports for patterns consistent with this vulnerability
Implement timeout mechanisms in applications using io_uring poll operations as a defensive measure

How to Mitigate CVE-2025-71149

Immediate Actions Required

Update to a patched Linux kernel version that includes the fix for this vulnerability
Review applications using io_uring poll update functionality for potential exposure
Consider implementing application-level workarounds to avoid POLL_REMOVE with updates until patching is complete
Monitor critical applications for signs of poll completion loss or incorrect error codes

Patch Information

The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that:

Completions from io_poll_add() during update operations are properly posted to the completion queue
The completion value set by io_poll_add() is retained and not overwritten with -ECANCELED

Multiple kernel commits have been published to address this issue across stable kernel branches:

Workarounds

Avoid using POLL_REMOVE with updates on pending POLL_ADD requests until the kernel is patched
Implement timeout-based fallback mechanisms in applications to detect and recover from lost completions
Consider using alternative polling mechanisms (epoll, select) for critical applications until patching is complete
Add application-level retry logic for poll operations that return unexpected -ECANCELED errors

bash

# Check current kernel version
uname -r

# Update kernel on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade linux-image-generic

# Update kernel on RHEL/CentOS systems
sudo yum update kernel

# Verify the patch is applied by checking kernel version after reboot
uname -r

CVE-2025-71149: Linux Kernel io_uring Poll Vulnerability

CVE-2025-71149 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-71149

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-71149

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-71149

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-71149: Linux Kernel io_uring Poll Vulnerability

CVE-2025-71149 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-71149

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-71149

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-71149

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform