Cyber Resilience

CVE-2023-52926

High

Published: 24 February 2025

Published
24 February 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-52926 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).

Deeper analysis

CVE-2023-52926 is a use-after-free vulnerability (CWE-416) in the Linux kernel's io_uring subsystem, specifically affecting the IORING_OP_READ operation. The issue arises because IORING_OP_READ does not correctly consume the provided buffer list when a read I/O returns a negative error code (except for -EAGAIN and -EIOCBQUEUED). This mishandling can lead to a use-after-free condition when the I/O completion is processed via io_rw_done in a separate context. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or denial of service within the kernel context.

Mitigation involves applying the relevant upstream patches, as documented in kernel stable commit references such as 6c27fc6a783c8a77c756dd5461b15e465020d075, 72060434a14caea20925e492310d6e680e3f9007, and a08d195b586a217d76b42062f88f375a3eedda4d. Debian LTS users are advised to update affected systems per the announcement at lists.debian.org/debian-lts-announce/2025/03/msg00001.html, which details backported fixes for stable branches.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: IORING_OP_READ did not correctly consume the provided buffer list when read i/o returned < 0 (except for -EAGAIN and -EIOCBQUEUED return). This can lead to a potential use-after-free when the…

more

completion via io_rw_done runs at separate context.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in io_uring directly enables exploitation for privilege escalation to kernel context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.1 — 6.1.122 · 6.2 — 6.6.68

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability in io_uring's IORING_OP_READ by requiring timely identification, reporting, and patching of the kernel flaw as per upstream commits.

prevent

Provides memory protection safeguards like address space layout randomization and non-executable memory that hinder exploitation of the use-after-free in kernel buffer handling.

prevent

Mandates secure error handling for negative return codes in I/O operations to prevent improper buffer list consumption leading to use-after-free during io_rw_done completion.

References