Cyber Resilience

CVE-2026-23275

HighUpdated

Published: 20 March 2026

Published
20 March 2026
Modified
22 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23275 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-23275 is a vulnerability in the Linux kernel's io_uring subsystem, where task work flags manipulation on ctx->rings is not stable during ring resizing when DEFER_TASKRUN or SETUP_TASKRUN modes are active. Specifically, if task work is added while the ring is being resized, a race condition can occur in the narrow window between swapping to new rings and freeing the old ones, allowing erroneous OR'ing of the IORING_SQ_TASKRUN flag. This affects Linux kernel versions supporting io_uring with ring resizing in DEFER_TASKRUN mode.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially enabling privilege escalation, data corruption, or system crashes through the race condition in io_uring operations.

The provided patch references detail the mitigation via kernel commits that introduce a secondary ->rings_rcu pointer protected by RCU to ensure stability during task work flag operations. Ring freeing after resize is performed post-RCU synchronize(), avoiding locks in the fast path of task work additions. This fix applies specifically to DEFER_TASKRUN mode, the only one supporting resizing, and uses the io_ctx_mark_taskrun() helper; other modes would require similar handling if extended.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for…

more

the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being freed. Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is protected by RCU. The task work flags manipulation is inside RCU already, and if the resize ring freeing is done post an RCU synchronize, then there's no need to add locking to the fast path of task work additions. Note: this is only done for DEFER_TASKRUN, as that's the only setup mode that supports ring resizing. If this ever changes, then they too need to use the io_ctx_mark_taskrun() helper.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Kernel race condition in io_uring directly enables local privilege escalation (AV:L/PR:L) to achieve high impact on confidentiality/integrity/availability.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel
CVE-2026-31586Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.13 — 6.18.19 · 6.19 — 6.19.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly mandates timely identification, reporting, and correction of the io_uring race condition flaw through Linux kernel patching.

detect

Requires vulnerability scanning to identify Linux kernel versions vulnerable to the io_uring ring resizing race condition in CVE-2026-23275.

prevent

Enforces secure kernel configuration settings that can disable or restrict io_uring features, mitigating exposure to the ring resizing race condition.

References