Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local authenticated user can call io_uring (AV:L/PR:L), but reliable exploitation needs winning a cancellation race (AC:H); ownership corruption yields high C/I/A.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
io_uring/poll: fix signed comparison in io_poll_get_ownership()
io_poll_get_ownership() uses a signed comparison to check whether poll_refs has reached the threshold for the slowpath:
if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG (BIT(31)) is set in poll_refs, the value becomes negative in signed arithmetic, so the >= 128 comparison always evaluates to false and the slowpath is never taken.
Fix this by casting the atomic_read() result to unsigned int before the comparison, so that the cancel flag is treated as a large positive value and correctly triggers the slowpath.
AnalysisAI
Local privilege escalation potential in the Linux kernel's io_uring poll subsystem arises from a signed-comparison flaw in io_poll_get_ownership(), where atomic_read() returns a signed int and the IO_POLL_CANCEL_FLAG (BIT(31)) makes poll_refs negative, so the '>= IO_POLL_REF_BIAS' slowpath check is never taken. Affecting kernels from the 5.15/6.x stable series through pre-patch 7.x, a local user with io_uring access can drive poll-reference accounting into an incorrect state during request cancellation, with CVSS 7.8 (AV:L) rating high confidentiality, integrity, and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local code execution with the ability to issue io_uring system calls (PR:L per CVSS), so the io_uring interface must be enabled and reachable by the attacker - on kernels where io_uring is disabled via kernel.io_uring_disabled or restricted by kernel.io_uring_group, the attack surface is removed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward low-to-moderate real-world priority despite the 7.8 'High' CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local, low-privileged user (or a process inside a container with io_uring permitted) submits poll-based io_uring operations and then races their cancellation so that IO_POLL_CANCEL_FLAG is set on poll_refs, exploiting the skipped slowpath to corrupt poll-request ownership accounting. By repeatedly winning this race, the attacker aims to trigger a use-after-free or inconsistent kernel state for privilege escalation or denial of service. … |
| Remediation | Apply the vendor-released kernel update for your branch: Vendor-released patch versions are 6.1.175, 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1 - upgrade to the patched point release matching your stable series, or pull the fix commits (e.g., 81bf96b0abbfa4cd47ea32e12596aed3855fb2f3 and the other backports) from git.kernel.org/stable. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running Linux kernels 5.15, 6.x, and pre-patch 7.x versions, prioritizing containers and multi-tenant environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38703
GHSA-37vf-c5qj-3jr7