CVE-2026-23253

Summary

In the Linux kernel, the following vulnerability has been resolved:

media: dvb-core: fix wrong reinitialization of ringbuffer on reopen

dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to empty.

Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers while the list head is reset to {self, self}.

The waitqueue and spinlock in dvr_buffer are already properly initialized once in dvb_dmxdev_init(). The open path only needs to reset the buffer data pointer, size, and read/write positions.

Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of data/size and a call to dvb_ringbuffer_reset(), which properly resets pread, pwrite, and error with correct memory ordering without touching the waitqueue or spinlock.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux34731df288a5ffe4b0c396caf8cd24c6a710a222 < 527cfa8a3486b3555c5c15e2f62be484a11398dcaffected
LinuxLinux34731df288a5ffe4b0c396caf8cd24c6a710a222 < fb378cf89be434ed1f10ab79cc4788fba8ae868daffected
LinuxLinux34731df288a5ffe4b0c396caf8cd24c6a710a222 < f1e520ca2e83ece6731af6167c9e5e16931ecba0affected
LinuxLinux34731df288a5ffe4b0c396caf8cd24c6a710a222 < af050ab44fa1b1897a940d7d756e512232f5e5dfaffected
LinuxLinux34731df288a5ffe4b0c396caf8cd24c6a710a222 < d71781bad59b1c9d60d7068004581f9bf19c0c9daffected
LinuxLinux34731df288a5ffe4b0c396caf8cd24c6a710a222 < cfd94642025e6f71c8f754bdec0800ee95e4f3ddaffected
LinuxLinux34731df288a5ffe4b0c396caf8cd24c6a710a222 < 32eb8e4adc207ef31bc6e5ae56bab940b0176066affected
LinuxLinux34731df288a5ffe4b0c396caf8cd24c6a710a222 < bfbc0b5b32a8f28ce284add619bf226716a59bc0affected
LinuxLinux2.6.17affected
LinuxLinux0 < 2.6.17unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.167 <= 6.1.*unaffected
LinuxLinux6.6.130 <= 6.6.*unaffected
LinuxLinux6.12.77 <= 6.12.*unaffected
LinuxLinux6.18.17 <= 6.18.*unaffected
LinuxLinux6.19.7 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References