CVE-2026-23275
Published: 20 March 2026
Summary
CVE-2026-23275 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-23275 is a vulnerability in the Linux kernel's io_uring subsystem, where task work flags manipulation on ctx->rings is not stable during ring resizing when DEFER_TASKRUN or SETUP_TASKRUN modes are active. Specifically, if task work is added while the ring is being resized, a race condition can occur in the narrow window between swapping to new rings and freeing the old ones, allowing erroneous OR'ing of the IORING_SQ_TASKRUN flag. This affects Linux kernel versions supporting io_uring with ring resizing in DEFER_TASKRUN mode.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially enabling privilege escalation, data corruption, or system crashes through the race condition in io_uring operations.
The provided patch references detail the mitigation via kernel commits that introduce a secondary ->rings_rcu pointer protected by RCU to ensure stability during task work flag operations. Ring freeing after resize is performed post-RCU synchronize(), avoiding locks in the fast path of task work additions. This fix applies specifically to DEFER_TASKRUN mode, the only one supporting resizing, and uses the io_ctx_mark_taskrun() helper; other modes would require similar handling if extended.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13611
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for…
more
the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being freed. Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is protected by RCU. The task work flags manipulation is inside RCU already, and if the resize ring freeing is done post an RCU synchronize, then there's no need to add locking to the fast path of task work additions. Note: this is only done for DEFER_TASKRUN, as that's the only setup mode that supports ring resizing. If this ever changes, then they too need to use the io_ctx_mark_taskrun() helper.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel race condition in io_uring directly enables local privilege escalation (AV:L/PR:L) to achieve high impact on confidentiality/integrity/availability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, reporting, and correction of the io_uring race condition flaw through Linux kernel patching.
Requires vulnerability scanning to identify Linux kernel versions vulnerable to the io_uring ring resizing race condition in CVE-2026-23275.
Enforces secure kernel configuration settings that can disable or restrict io_uring features, mitigating exposure to the ring resizing race condition.