CVE-2026-46315 Overview
CVE-2026-46315 is an information disclosure vulnerability in the Linux kernel's io_uring subsystem. The flaw affects the IORING_OP_WAITID operation, which stores result fields in struct io_waitid::info before copying them to userspace siginfo. The preparation path initializes request arguments but does not initialize the info structure itself. When a wait operation completes without reporting a child event, io_waitid_finish() still copies iw->info to userspace, leaking stale bytes from reused io_kiocb command storage to unprivileged callers.
Critical Impact
Local unprivileged processes can read uninitialized kernel memory from reused io_kiocb command storage through the io_uring waitid interface.
Affected Products
- Linux kernel versions containing the IORING_OP_WAITID implementation prior to the referenced fix commits
- Distributions shipping affected upstream kernels until backported patches are applied
- Stable kernel branches updated via commits 4d2a0de, 93d93f5, 954518e, and b737c66
Discovery Timeline
- 2026-06-09 - CVE-2026-46315 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46315
Vulnerability Analysis
The vulnerability resides in the io_uring waitid operation path. IORING_OP_WAITID reuses the per-request command storage area within struct io_kiocb to hold an io_waitid structure, which embeds a struct waitid_info info field intended to mirror the data returned by the regular waitid(2) syscall.
The regular waitid syscall stack-allocates a struct waitid_info that is zero-initialized at function entry. The io_uring path does not match this behavior. The preparation function io_waitid_prep() initializes user-supplied arguments such as the wait id type, pid, and options, but never clears the embedded info field.
If the wait operation completes without observing a reapable child event, the common wait code returns without writing wo_info. The completion handler io_waitid_finish() then unconditionally copies iw->info to the userspace siginfo buffer. The copied bytes contain whatever data previously occupied that region of the recycled io_kiocb slab object.
Root Cause
The defect is a missing initialization of an on-object output buffer prior to its conditional population. Because io_kiocb allocations are pooled and reused across requests, the uninitialized region contains residual data from prior commands, including potentially sensitive pointer values, kernel addresses, or operation-specific metadata.
Attack Vector
A local unprivileged process with the ability to submit io_uring requests can issue IORING_OP_WAITID operations crafted to complete without a child status change. The process then reads the populated siginfo structure to recover stale kernel memory contents. Repeated submissions allow incremental harvesting of kernel data useful for bypassing Kernel Address Space Layout Randomization (KASLR) or staging follow-on exploits.
The fix clears the result storage during preparation so the io_uring path matches the zero-initialized struct waitid_info semantics of the regular waitid syscall. See the Kernel Git Commit 4d2a0de and the Kernel Git Commit 93d93f5 for the corrective changes.
Detection Methods for CVE-2026-46315
Indicators of Compromise
- Unprivileged processes making sustained sequences of io_uring_enter calls submitting IORING_OP_WAITID operations
- Processes invoking waitid-style operations against pid targets they would not normally monitor
- Unexpected io_uring usage from non-server workloads or sandboxed applications
Detection Strategies
- Audit io_uring syscall usage with auditd rules targeting io_uring_setup, io_uring_register, and io_uring_enter
- Correlate kernel version banners against the patched stable commits to identify exposed hosts
- Use eBPF tracing on the io_waitid_prep and io_waitid_finish functions to baseline legitimate callers
Monitoring Recommendations
- Enable kernel telemetry on Linux endpoints to track anomalous io_uring opcode distributions per process
- Alert when low-privilege containers or sandboxed processes begin issuing waitid operations through io_uring
- Forward kernel and audit logs to a centralized analytics platform to identify cross-host patterns of io_uring abuse
How to Mitigate CVE-2026-46315
Immediate Actions Required
- Apply the upstream stable kernel updates containing commits 4d2a0de, 93d93f5, 954518e, and b737c66
- Inventory all Linux hosts and containers running kernels with io_uring enabled and prioritize multi-tenant systems
- Restrict io_uring availability to trusted workloads using the kernel.io_uring_disabled sysctl where supported
Patch Information
The vulnerability is resolved by clearing struct io_waitid::info during request preparation. Fixes are available in the referenced stable tree commits: Kernel Git Commit 4d2a0de, Kernel Git Commit 93d93f5, Kernel Git Commit 954518e, and Kernel Git Commit b737c66. Rebuild affected distribution kernels with the appropriate backport and reboot impacted systems.
Workarounds
- Disable io_uring system-wide by setting kernel.io_uring_disabled=2 on kernels that support the sysctl
- Apply seccomp filters in container runtimes and sandboxes to block the io_uring_setup, io_uring_register, and io_uring_enter syscalls
- Avoid granting CAP_SYS_ADMIN or unrestricted io_uring access to untrusted workloads until kernels are patched
# Configuration example
# Disable io_uring globally for all users (Linux 6.6+)
sudo sysctl -w kernel.io_uring_disabled=2
echo 'kernel.io_uring_disabled = 2' | sudo tee /etc/sysctl.d/99-disable-io_uring.conf
# Verify the kernel build includes the waitid info initialization fix
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
