CVE-2026-45995 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, and security teams operating systems with io_uring enabled, particularly those utilizing zero-copy receive functionality for high-performance networking applications.

Technical summary

The vulnerability exists in the io_uring zero-copy receive (zcrx) implementation. The function `io_free_rbuf_ring()` accesses a `struct user_struct` pointer after `io_zcrx_ifq_free()` has already called `put_user_struct()` on it, resulting in a use-after-free condition. This can lead to memory corruption or potentially local privilege escalation. The fix ensures proper ordering of reference count operations during ring buffer teardown.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable tree commits referenced in CVE record
• Prioritize patching systems using io_uring with zero-copy receive (zcrx) functionality
• Monitor for stable kernel updates containing the fix
• Review custom io_uring applications for zcrx usage
• Consider disabling io_uring or zcrx features if patching is not immediately feasible and functionality is not required

Evidence notes

CVE published 2026-05-27T14:17:17.080Z; modified 2026-05-27T14:48:03.013Z. Kernel commit references confirm fix in stable tree.

Official resources