Skip to main content

Linux Kernel CVE-2026-45975

| EUVDEUVD-2026-32259 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-3q42-3w8p-xmr3
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges required for io_uring/ublk use; race yields only kernel crash, so C:N and I:N with A:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 16, 2026 - 02:56 vuln.today
CVSS changed
Jun 16, 2026 - 02:52 NVD
5.5 (MEDIUM)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd

struct ublksrv_ctrl_cmd is part of the io_uring_sqe, which may lie in userspace-mapped memory. It's racy to access its fields with normal loads, as userspace may write to them concurrently. Use READ_ONCE() to copy the ublksrv_ctrl_cmd from the io_uring_sqe to the stack. Use the local copy in place of the one in the io_uring_sqe.

AnalysisAI

Race condition in the Linux kernel's ublk (userspace block device) subsystem allows a local low-privileged attacker to crash the kernel by concurrently modifying io_uring submission queue entries during kernel processing. The ublksrv_ctrl_cmd struct resides in userspace-mapped shared memory, and unguarded normal loads let a racing userspace thread corrupt the kernel's view of the command, triggering a denial-of-service condition. No public exploit exists and EPSS is 0.02%, but fixed kernel versions 6.19.4 and 7.0 are confirmed available.

Technical ContextAI

The ublk subsystem enables userspace-implemented block devices via the io_uring asynchronous I/O interface. The ublksrv_ctrl_cmd struct is embedded within the io_uring_sqe (submission queue entry), which lives in memory shared between the kernel and userspace via a memory-mapped ring buffer. Because the kernel previously read individual fields of ublksrv_ctrl_cmd using ordinary C loads - rather than atomic, compiler-barrier-protected reads - a concurrent userspace thread could legally modify those fields between kernel reads of different struct members, producing a time-of-check-time-of-use (TOCTOU) inconsistency. While no CWE is formally assigned, this maps to CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization). The fix copies the entire struct to a local stack variable using READ_ONCE() before any field is accessed, ensuring the kernel operates on a consistent snapshot isolated from concurrent userspace writes. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade to Linux kernel 6.19.4 or 7.0, which incorporate the READ_ONCE() fix confirmed by EUVD-2026-32259. The patch commits are ed9f54cc1e335096733aed03c2a46de3d58922ed and ce63eda3e6d36e2c253febee1c8421ecbd1a680e, accessible at https://git.kernel.org/stable/c/ed9f54cc1e335096733aed03c2a46de3d58922ed and https://git.kernel.org/stable/c/ce63eda3e6d36e2c253febee1c8421ecbd1a680e. If an immediate kernel upgrade is not feasible, restrict io_uring access for unprivileged users by setting sysctl kernel.io_uring_disabled=1 (disables io_uring for non-root users, but note this breaks any application relying on io_uring for normal I/O, including some databases and high-performance servers) or kernel.io_uring_disabled=2 (blocks io_uring entirely). Alternatively, unload the ublk kernel module (rmmod ublk_drv) if userspace block devices are not required in the environment; this eliminates the attack surface with no broader performance impact.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45975 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy