PatchSiren cyber security CVE debrief

CVE-2026-45975 Linux CVE debrief

A race condition vulnerability in the Linux kernel's ublk (userspace block device) subsystem could allow local attackers to manipulate control command data through concurrent userspace writes. The flaw exists because `struct ublksrv_ctrl_cmd`, embedded within io_uring submission queue entries (SQEs) mapped to userspace memory, was accessed with normal loads rather than atomic reads. This creates a TOCTOU (time-of-check to time-of-use) window where a malicious or racing userspace process could modify command fields between validation and use. The fix applies `READ_ONCE()` to safely copy the control command structure to the stack before processing, ensuring consistent state throughout the operation. This vulnerability affects systems using ublk with io_uring, which is commonly employed for high-performance block I/O virtualization in container and cloud environments.

Vendor: Linux
Product: Unknown
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Linux system administrators running kernels with ublk enabled; container platform operators using io_uring-based storage virtualization; security teams monitoring for local privilege escalation vectors in multi-tenant environments; kernel maintainers and distribution packagers tracking stable branch updates

Technical summary

The ublk driver processes control commands embedded in io_uring SQEs. These SQEs reside in memory-mapped buffers accessible to userspace. The original code accessed `struct ublksrv_ctrl_cmd` fields directly, creating a race where userspace could modify values after kernel validation but before use. The resolution copies the structure to stack memory using `READ_ONCE()` semantics, preventing torn reads and ensuring atomicity of the command snapshot. This is a classic kernel/userspace boundary safety issue in memory-mapped I/O interfaces.

Defensive priority

medium

Recommended defensive actions

Apply kernel patches from stable branches (commits ce63eda3e6d36e2c253febee1c8421ecbd1a680e and ed9f54cc1e335096733aed03c2a46de3d58922ed) when available for your distribution
Monitor distribution security advisories for backported fixes to supported kernel versions
Restrict unprivileged access to ublk devices and io_uring interfaces where possible
Review container and virtualization workloads for ublk usage and assess exposure
Enable kernel live patching if available to deploy fixes without reboot
Audit systems for unexpected io_uring syscall usage from untrusted processes

Evidence notes

Vulnerability description confirms the race condition mechanism and fix approach. Kernel commit references (ref-4, ref-5) provide authoritative patch verification. CVE published 2026-05-27T14:17:14.590Z per official record.

Official resources

CVE-2026-45975 CVE record
CVE.org
CVE-2026-45975 NVD detail
NVD
Source item URL
nvd_modified
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67

2026-05-27