PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23275 Linux CVE debrief

CVE-2026-23275 describes a Linux kernel io_uring race condition during ring resizing. When DEFER_TASKRUN and SETUP_TASKRUN are used, task work added at the same time a ring is being resized can race with the swap to the new rings object and the freeing of the old one. The result is a narrow window where task-run flag manipulation can occur against a rings object that is no longer stable. The fix introduces a second rings pointer protected by RCU and delays freeing until after an RCU synchronize, keeping the fast path unchanged while closing the race.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-20
Original CVE updated
2026-04-02
Advisory published
2026-03-20
Advisory updated
2026-04-02

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems or workloads that use io_uring with DEFER_TASKRUN/SETUP_TASKRUN. It is especially relevant for environments that rely on kernel updates and backported stable fixes.

Technical summary

The issue is in io_uring task-work flag handling during ring resize. The kernel resolves a race where IORING_SQ_TASKRUN may be OR'ed into ctx->rings while the context is transitioning to a new rings object and the old one is being freed. According to the supplied resolution text, the mitigation is to add ctx->rings_rcu as an RCU-protected pointer for task-work flag manipulation and to defer freeing the resized ring until after an RCU synchronize. The change is limited to DEFER_TASKRUN because that is the only setup mode that supports ring resizing in the described code path.

Defensive priority

High priority for kernel patching if you deploy affected Linux kernels and use io_uring in DEFER_TASKRUN mode. The issue is concurrency-sensitive and can affect kernel stability or correctness, so backporting the stable fix should be treated as a timely maintenance item.

Recommended defensive actions

  • Check whether your Linux kernel build includes the stable fixes referenced by the official kernel commit links.
  • Prioritize applying vendor or distribution backports for the io_uring ring-resize race fix.
  • If you rely on io_uring with DEFER_TASKRUN, validate that patched kernels are present across all production hosts.
  • Track distribution security advisories for kernel updates that include the io_uring RCU stabilization change.
  • If you maintain a kernel-based appliance or custom kernel tree, review whether the io_uring task-work path includes the rings_rcu and RCU synchronize changes.

Evidence notes

The supplied CVE description states that the race occurs when DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized. It also states the fix: add a second ctx->rings pointer (rings_rcu) protected by RCU and free the old ring only after an RCU synchronize. The NVD record is marked 'Undergoing Analysis' in the supplied source, so affected-version scope is not expanded beyond the kernel-specific text provided. Official reference links are kernel.org stable commit URLs; no additional exploit details or impact assertions are introduced here.

Official resources

CVE published at 2026-03-20T09:16:13.223Z and last modified at 2026-04-02T15:16:29.997Z, per the supplied timeline. This debrief uses the published CVE date for timing context and does not infer any earlier or later issue date.