Skip to main content

Linux Kernel CVE-2026-52933

| EUVDEUVD-2026-38703 HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-06-24 Linux GHSA-37vf-c5qj-3jr7
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local authenticated user can call io_uring (AV:L/PR:L), but reliable exploitation needs winning a cancellation race (AC:H); ownership corruption yields high C/I/A.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:27 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

io_uring/poll: fix signed comparison in io_poll_get_ownership()

io_poll_get_ownership() uses a signed comparison to check whether poll_refs has reached the threshold for the slowpath:

if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))

atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG (BIT(31)) is set in poll_refs, the value becomes negative in signed arithmetic, so the >= 128 comparison always evaluates to false and the slowpath is never taken.

Fix this by casting the atomic_read() result to unsigned int before the comparison, so that the cancel flag is treated as a large positive value and correctly triggers the slowpath.

AnalysisAI

Local privilege escalation potential in the Linux kernel's io_uring poll subsystem arises from a signed-comparison flaw in io_poll_get_ownership(), where atomic_read() returns a signed int and the IO_POLL_CANCEL_FLAG (BIT(31)) makes poll_refs negative, so the '>= IO_POLL_REF_BIAS' slowpath check is never taken. Affecting kernels from the 5.15/6.x stable series through pre-patch 7.x, a local user with io_uring access can drive poll-reference accounting into an incorrect state during request cancellation, with CVSS 7.8 (AV:L) rating high confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privilege execution
Delivery
Submit io_uring poll requests
Exploit
Race cancellation to set IO_POLL_CANCEL_FLAG
Execution
Bypass skipped ownership slowpath
Persist
Corrupt poll_refs accounting state
Impact
Escalate privileges or crash kernel

Vulnerability AssessmentAI

Exploitation Exploitation requires local code execution with the ability to issue io_uring system calls (PR:L per CVSS), so the io_uring interface must be enabled and reachable by the attacker - on kernels where io_uring is disabled via kernel.io_uring_disabled or restricted by kernel.io_uring_group, the attack surface is removed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward low-to-moderate real-world priority despite the 7.8 'High' CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local, low-privileged user (or a process inside a container with io_uring permitted) submits poll-based io_uring operations and then races their cancellation so that IO_POLL_CANCEL_FLAG is set on poll_refs, exploiting the skipped slowpath to corrupt poll-request ownership accounting. By repeatedly winning this race, the attacker aims to trigger a use-after-free or inconsistent kernel state for privilege escalation or denial of service. …
Remediation Apply the vendor-released kernel update for your branch: Vendor-released patch versions are 6.1.175, 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1 - upgrade to the patched point release matching your stable series, or pull the fix commits (e.g., 81bf96b0abbfa4cd47ea32e12596aed3855fb2f3 and the other backports) from git.kernel.org/stable. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Linux kernels 5.15, 6.x, and pre-patch 7.x versions, prioritizing containers and multi-tenant environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy