7.8
CVE-2026-46274
- EPSS 0.14%
- Veröffentlicht 08.06.2026 14:30:53
- Zuletzt bearbeitet 08.07.2026 14:46:03
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
In the Linux kernel, the following vulnerability has been resolved: io-wq: check that the predecessor is hashed in io_wq_remove_pending() io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled work was the tail of its hash bucket. When doing this, it checks whether the preceding entry in acct->work_list has the same hash value, but never checks that the predecessor is hashed at all. io_get_work_hash() is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash bits are never set for non-hashed work, so it returns 0. Thus, when a hashed bucket-0 work is cancelled while a non-hashed work is its list predecessor, the check spuriously passes and a pointer to the non-hashed io_kiocb is stored in wq->hash_tail[0]. Because non-hashed work is dequeued via the fast path in io_get_next_work(), which never touches hash_tail[], the stale pointer is never cleared. Therefore, after the non-hashed io_kiocb completes and is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The io_wq is per-task (tctx->io_wq) and survives ring open/close, so the dangling pointer persists for the lifetime of the task; the next hashed bucket-0 enqueue dereferences it in io_wq_insert_work() and wq_list_add_after() writes through freed memory. Add the missing io_wq_is_hashed() check so a non-hashed predecessor never inherits a hash_tail[] slot.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.8.6 < 5.9
Linux ≫ Linux Kernel Version >= 5.9.1 < 6.6.141
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.91
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.33
Linux ≫ Linux Kernel Version >= 6.19 < 7.0.10
Linux ≫ Linux Kernel Version5.9 Update-
Linux ≫ Linux Kernel Version5.9 Updaterc3
Linux ≫ Linux Kernel Version5.9 Updaterc4
Linux ≫ Linux Kernel Version5.9 Updaterc5
Linux ≫ Linux Kernel Version5.9 Updaterc6
Linux ≫ Linux Kernel Version5.9 Updaterc7
Linux ≫ Linux Kernel Version5.9 Updaterc8
Linux ≫ Linux Kernel Version7.1 Updaterc1
Linux ≫ Linux Kernel Version7.1 Updaterc2
Linux ≫ Linux Kernel Version7.1 Updaterc3
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.035 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/d6bda9df0c0a3080804181464d5c0f4d78a4e769
https://git.kernel.org/stable/c/5a20ebf0c81b61f5ea3b1b529c100cad69b9f603
https://git.kernel.org/stable/c/252c5051dba9c709b6a72f2866f93e5e618b3f06
https://git.kernel.org/stable/c/d376c131af7c7739a87ff037ed2fdb67c2542c8a
https://git.kernel.org/stable/c/d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc