Skip to main content

Linux Kernel EUVDEUVD-2026-39282

| CVE-2026-53191 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-qhpr-79xw-32m8
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.3 MEDIUM

Local unprivileged io_uring use (AV:L/PR:L); AC:H because triggering needs a non-default incremental provided-buffer-ring bundle recv with partial consumption; impact is mainly information disclosure (C:H), minor integrity, no availability loss.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:28 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries

When a bundle recv retries inside io_recv_finish(), the merge logic OR the saved cflags from the previous iteration with the cflags returned by the new iteration: cflags = req->cqe.flags | (cflags & CQE_F_MASK);

Bits listed in CQE_F_MASK are inherited from the new iteration, and all other bits (notably IORING_CQE_F_BUFFER and the buffer ID) come from the saved cflags. Before this change CQE_F_MASK covered only IORING_CQE_F_SOCK_NONEMPTY and IORING_CQE_F_MORE.

When using provided buffer rings (IOU_PBUF_RING_INC) with incremental mode, and bundle recv, io_kbuf_inc_commit() can leave the head ring entry partially consumed, __io_put_kbufs() then sets IORING_CQE_F_BUF_MORE on the returned cflags so userspace knows the buffer ID will be reused for subsequent completions.

Because IORING_CQE_F_BUF_MORE was not in CQE_F_MASK, the merge above silently dropped it whenever the final retry iteration partially consumed the buffer, and the subsequent req->cqe.flags = cflags & ~CQE_F_MASK save would have left a stale IORING_CQE_F_BUF_MORE in the carried-over cflags had one been present. Userspace would then wrongfully advance it ring head past an entry the kernel still uses.

Add IORING_CQE_F_BUF_MORE to CQE_F_MASK so it is both inherited from the new iteration into the user-visible CQE and stripped from the saved cflags between iterations.

AnalysisAI

Improper completion-flag handling in the Linux kernel's io_uring networking layer (io_uring/net) causes IORING_CQE_F_BUF_MORE to be dropped when a bundled recv operation retries while using incremental provided buffer rings (IOU_PBUF_RING_INC). Local applications using io_uring can be misled into advancing a buffer ring head past an entry the kernel is still using, leading to buffer reuse, data corruption, and potential information disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local code execution as a normal user
Delivery
Open io_uring with incremental provided buffer ring (IOU_PBUF_RING_INC)
Exploit
Issue bundle recv triggering partial buffer consumption on final retry
Execution
Kernel drops IORING_CQE_F_BUF_MORE in merged cflags
Persist
Userspace advances ring head past in-use buffer
Impact
Buffer reuse causes data corruption or information disclosure

Vulnerability AssessmentAI

Exploitation Requires local code execution on the host and an application (or attacker-controlled program) that uses io_uring with provided buffer rings in incremental mode (IOU_PBUF_RING_INC) together with bundle recv, where the final retry iteration partially consumes the head ring entry - that exact configuration is the precondition stated in the description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and skew toward lower real-world urgency than the headline CVSS 7.8 suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local, unprivileged process on a shared or multi-tenant Linux host issues bundled io_uring recv operations against incremental provided buffer rings, crafting traffic timing so the final retry iteration only partially consumes a buffer. The dropped IORING_CQE_F_BUF_MORE flag causes the application's userspace ring logic to advance the ring head past a buffer the kernel still owns, producing buffer reuse that can corrupt or leak data within that process's I/O. …
Remediation Vendor-released patch: update to a fixed stable kernel - 6.12.94, 6.18.36, 7.0.13, or 7.1 (or your distribution's backported equivalent), corresponding to upstream fix commits ed46f39c47eb5530a9c161481a2080d3a869cfaf, 0bbc9481f970b0b4ddb08cfa464db1cc93b74b56, 4973232a67e4137ab9399f504f7f2bdd847f96d2, and f40570fda3f3a1f96aeaa4aef665ba274b2810b5 (see https://git.kernel.org/stable/c/ed46f39c47eb5530a9c161481a2080d3a869cfaf). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify systems with CONFIG_IO_URING enabled and audit current kernel versions against vulnerability scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy