CVE-2026-46274
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled work was the tail of its hash bucket. When doing this, it checks whether the preceding entry in acct->work_list has the same hash value, but never checks that the predecessor is hashed at all. io_get_work_hash() is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash bits are never set for non-hashed work, so it returns 0. Thus, when a hashed bucket-0 work is cancelled while a non-hashed work is its list predecessor, the check spuriously passes and a pointer to the non-hashed io_kiocb is stored in wq->hash_tail[0].
Because non-hashed work is dequeued via the fast path in io_get_next_work(), which never touches hash_tail[], the stale pointer is never cleared. Therefore, after the non-hashed io_kiocb completes and is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The io_wq is per-task (tctx->io_wq) and survives ring open/close, so the dangling pointer persists for the lifetime of the task; the next hashed bucket-0 enqueue dereferences it in io_wq_insert_work() and wq_list_add_after() writes through freed memory.
Add the missing io_wq_is_hashed() check so a non-hashed predecessor never inherits a hash_tail[] slot.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 204361a77f4018627addd4a06877448f088ddfc0 < d6bda9df0c0a3080804181464d5c0f4d78a4e769 | affected |
| Linux | Linux | 204361a77f4018627addd4a06877448f088ddfc0 < 5a20ebf0c81b61f5ea3b1b529c100cad69b9f603 | affected |
| Linux | Linux | 204361a77f4018627addd4a06877448f088ddfc0 < 252c5051dba9c709b6a72f2866f93e5e618b3f06 | affected |
| Linux | Linux | 204361a77f4018627addd4a06877448f088ddfc0 < d376c131af7c7739a87ff037ed2fdb67c2542c8a | affected |
| Linux | Linux | 204361a77f4018627addd4a06877448f088ddfc0 < d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc | affected |
| Linux | Linux | 13f35a2c0fd5c6a4fcd8903542b053bcc914fcf5 | affected |
| Linux | Linux | 5.8.6 < 5.9 | affected |
| Linux | Linux | 5.9 | affected |
| Linux | Linux | 0 < 5.9 | unaffected |
| Linux | Linux | 6.6.141 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.91 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.33 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.10 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/d6bda9df0c0a3080804181464d5c0f4d78a4e769
- https://git.kernel.org/stable/c/5a20ebf0c81b61f5ea3b1b529c100cad69b9f603
- https://git.kernel.org/stable/c/252c5051dba9c709b6a72f2866f93e5e618b3f06
- https://git.kernel.org/stable/c/d376c131af7c7739a87ff037ed2fdb67c2542c8a
- https://git.kernel.org/stable/c/d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.