Описание
In the Linux kernel, the following vulnerability has been resolved:
io_uring/waitid: always prune wait queue entry in io_waitid_wait()
For a successful return, always remove our entry from the wait queue
entry list. Previously this was skipped if a cancelation was in
progress, but this can race with another invocation of the wait queue
entry callback.
A flaw use after free in the Linux kernel IO_URING subsystem was found in the way local user uses io_uring interface (using IORING_OP_WAITID).
A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
Отчет
io_waitid_wait() didn’t always prune the wait-queue entry on success when a cancellation was in progress, leaving the entry on the list and racing with another callback, which could lead to double callbacks and list corruption (potential UAF). The IO_URING enabled only in latest versions of Red Hat Enterprise Linux (from 9.3).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2025:22854 | 09.12.2025 |
| Red Hat Enterprise Linux 10.0 Extended Update Support | kernel | Fixed | RHSA-2026:1727 | 02.02.2026 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2025:21469 | 17.11.2025 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2025:21469 | 17.11.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: always prune wait queue entry in io_waitid_wait() For a successful return, always remove our entry from the wait queue entry list. Previously this was skipped if a cancelation was in progress, but this can race with another invocation of the wait queue entry callback.
In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: always prune wait queue entry in io_waitid_wait() For a successful return, always remove our entry from the wait queue entry list. Previously this was skipped if a cancelation was in progress, but this can race with another invocation of the wait queue entry callback.
In the Linux kernel, the following vulnerability has been resolved: i ...
In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: always prune wait queue entry in io_waitid_wait() For a successful return, always remove our entry from the wait queue entry list. Previously this was skipped if a cancelation was in progress, but this can race with another invocation of the wait queue entry callback.
Уязвимость функции io_waitid_wait() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.8 High
CVSS3