CVE-2026-23275 Overview
A race condition vulnerability has been discovered in the Linux kernel's io_uring subsystem. The flaw exists in the handling of task work flags manipulation when DEFER_TASKRUN | SETUP_TASKRUN is used during ring resizing operations. If task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_TASKRUN to occur in a small window between swapping into the new rings and the old rings being freed, potentially leading to use-after-free conditions.
Critical Impact
This vulnerability allows a local attacker to potentially exploit a race condition in io_uring ring resizing, which could lead to memory corruption or denial of service on affected Linux kernel systems.
Affected Products
- Linux Kernel (versions using io_uring with DEFER_TASKRUN support)
- Systems utilizing io_uring with ring resize functionality
- Linux distributions running vulnerable kernel versions
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-23275 published to NVD
- 2026-03-20 - Last updated in NVD database
Technical Details for CVE-2026-23275
Vulnerability Analysis
The vulnerability resides in the Linux kernel's io_uring implementation, specifically in how the ctx->rings pointer is managed during concurrent operations. When DEFER_TASKRUN | SETUP_TASKRUN configuration is active, the kernel manipulates task work flags by OR'ing IORING_SQ_TASKRUN into the rings structure.
The core issue is a Time-of-Check Time-of-Use (TOCTOU) race condition that occurs during ring resize operations. During the resize process, there exists a brief window where the old rings structure is being swapped out for a new one. If task work is added during this exact moment, the flag manipulation may target the old rings structure that is about to be freed, resulting in a potential use-after-free scenario.
This vulnerability specifically affects configurations using DEFER_TASKRUN mode, as this is the only setup mode that supports ring resizing. The attack requires local access and the ability to trigger io_uring operations with specific timing characteristics.
Root Cause
The root cause is the lack of proper synchronization between the rings pointer access during task work flag manipulation and the ring resize operation. The original implementation used a single ->rings pointer that could be accessed concurrently without adequate protection during the resize window. The fix introduces a secondary pointer, ->rings_rcu, which is protected by RCU (Read-Copy-Update) synchronization primitives, ensuring that the old rings structure is not freed until all concurrent accessors have completed their operations.
Attack Vector
The attack vector requires local access to a system running a vulnerable Linux kernel with io_uring support enabled. An attacker would need to:
- Create an io_uring instance with DEFER_TASKRUN | SETUP_TASKRUN flags
- Initiate a ring resize operation
- Simultaneously trigger task work additions to exploit the race window
- The precise timing required makes exploitation challenging but not impossible
The vulnerability mechanism involves concurrent access to the rings structure during resize. When the resize operation begins, the kernel allocates a new rings structure and prepares to swap pointers. During the brief window between updating the pointer and freeing the old structure, any task work additions that reference the old structure via cached pointer values could result in writing to freed memory after the synchronization completes. The fix addresses this by using RCU protection to ensure the old rings structure remains valid until all in-flight operations complete.
Detection Methods for CVE-2026-23275
Indicators of Compromise
- Unexpected kernel panics or crashes related to io_uring operations
- Kernel log messages indicating memory corruption in io_uring subsystem
- System instability during high io_uring workload with ring resize operations
- KASAN (Kernel Address Sanitizer) reports showing use-after-free in io_uring code paths
Detection Strategies
- Monitor kernel logs for io_uring-related error messages or warnings
- Enable KASAN on development/test systems to detect memory safety violations
- Audit applications using io_uring with DEFER_TASKRUN flag for potential exposure
- Review system configurations to identify use of io_uring ring resize functionality
Monitoring Recommendations
- Implement kernel log monitoring for io_uring subsystem anomalies
- Deploy runtime security tools capable of detecting kernel memory corruption
- Monitor for unusual patterns in io_uring system calls that may indicate exploitation attempts
- Enable kernel tracing for io_uring operations in security-sensitive environments
How to Mitigate CVE-2026-23275
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix
- Review and update containerized workloads using io_uring functionality
- Consider temporarily disabling io_uring ring resize if not required for operations
- Apply vendor-specific patches from your Linux distribution
Patch Information
The vulnerability has been resolved in the Linux kernel through the introduction of a secondary RCU-protected rings pointer (->rings_rcu). The fix ensures that task work flag manipulation occurs safely within RCU read-side critical sections, and ring resize operations perform proper RCU synchronization before freeing old structures. The patches are available through the official kernel git repository:
Workarounds
- Disable io_uring functionality system-wide if not required (via io_uring_disabled sysctl)
- Restrict access to io_uring system calls using seccomp filters
- Limit io_uring usage to trusted applications only via security policies
- Monitor applications using DEFER_TASKRUN mode and evaluate if ring resize functionality is necessary
# Disable io_uring system-wide (requires kernel support)
echo 2 > /proc/sys/kernel/io_uring_disabled
# Or via sysctl configuration
echo "kernel.io_uring_disabled = 2" >> /etc/sysctl.d/99-io_uring.conf
sysctl -p /etc/sysctl.d/99-io_uring.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
