7.8

CVE-2026-52933

io_uring/poll: fix signed comparison in io_poll_get_ownership()

In the Linux kernel, the following vulnerability has been resolved:

io_uring/poll: fix signed comparison in io_poll_get_ownership()

io_poll_get_ownership() uses a signed comparison to check whether
poll_refs has reached the threshold for the slowpath:

    if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))

atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
(BIT(31)) is set in poll_refs, the value becomes negative in
signed arithmetic, so the >= 128 comparison always evaluates to
false and the slowpath is never taken.

Fix this by casting the atomic_read() result to unsigned int
before the comparison, so that the cancel flag is treated as a
large positive value and correctly triggers the slowpath.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.15.82 < 5.16
LinuxLinux Kernel Version >= 6.0.11 < 6.1
LinuxLinux Kernel Version >= 6.1.1 < 6.1.175
LinuxLinux Kernel Version >= 6.2 < 6.6.140
LinuxLinux Kernel Version >= 6.7 < 6.12.86
LinuxLinux Kernel Version >= 6.13 < 6.18.27
LinuxLinux Kernel Version >= 6.19 < 7.0.4
LinuxLinux Kernel Version6.1 Update-
LinuxLinux Kernel Version6.1 Updaterc7
LinuxLinux Kernel Version6.1 Updaterc8
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.022
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

https://git.kernel.org/stable/c/81bf96b0abbfa4cd47ea32e12596aed3855fb2f3
Patch
https://git.kernel.org/stable/c/cf522703d4f194991615763697ae25a3f9539763
Patch
https://git.kernel.org/stable/c/fc47043f3d9af3efa407665b47f8378ec691ba18
Patch
https://git.kernel.org/stable/c/ea0697129807d718037f618221037aa0660ee3c5
Patch
https://git.kernel.org/stable/c/c6d191164dc81838d8dbf452a6000f68c558d1ae
Patch
https://git.kernel.org/stable/c/326941b22806cbf2df1fbfe902b7908b368cce42
Patch