Skip to main content

Linux Kernel EUVDEUVD-2026-32291

| CVE-2026-45995 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-33gx-9hw6-qc5v
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local attacker with an unprivileged account (AV:L, PR:L) must win a free/teardown race in io_uring zcrx (AC:H); successful UAF yields full kernel CIA impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 13:54 vuln.today
CVSS changed
Jun 16, 2026 - 13:52 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

io_uring/zcrx: fix user_struct uaf

io_free_rbuf_ring() usees a struct user_struct, which io_zcrx_ifq_free() puts it down before destroying the ring.

AnalysisAI

Use-after-free in the Linux kernel's io_uring zero-copy receive (zcrx) subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from io_free_rbuf_ring() accessing a struct user_struct after io_zcrx_ifq_free() has already released the reference, creating a UAF window. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the bug class (UAF in io_uring) has historically been weaponized for LPE.

Technical ContextAI

io_uring is the Linux kernel's high-performance asynchronous I/O interface, and zcrx (zero-copy receive) is a newer subsystem that maps networking receive buffers directly into user-controlled rings to avoid copy overhead. The bug is a classic CWE-416 (Use After Free): io_zcrx_ifq_free() decrements/releases the struct user_struct reference before io_free_rbuf_ring() - which still relies on that user_struct during ring teardown - completes its work, leaving a dangling pointer. The affected CPE is cpe:2.3:o:linux:linux_kernel covering recent kernels that include the zcrx feature (introduced in 6.x), with patches landing in 7.0.4 and 7.1-rc1 per EUVD metadata.

RemediationAI

Vendor-released patch: Linux 7.0.4 (stable) and 7.1-rc1 (mainline), available via the upstream commits 0fcccfd87152f957fa8312b841f6efef42a05a20 and 9feb88eeda6d288f93fcfb6bca563f89e316479d at git.kernel.org/stable; consume the corresponding backports from your distribution (RHEL, Ubuntu, SUSE, Debian) as they ship. If immediate kernel updates are not feasible, the most effective compensating control is to disable or restrict io_uring for untrusted users - either by setting the sysctl kernel.io_uring_disabled=2 (blocks all io_uring usage; side effect: breaks workloads such as recent QEMU, Node.js, ScyllaDB, and other async-IO consumers), or kernel.io_uring_disabled=1 with a CAP_SYS_NICE-gated group. Additionally, do not expose io_uring inside untrusted containers (drop in seccomp/AppArmor profiles via Docker's default seccomp which already blocks io_uring_setup, or via Kubernetes RuntimeDefault), and avoid loading the zcrx code path on hosts that don't need zero-copy networking. See the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-45995 for cross-references.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32291 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy