CVE-2026-23275

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: ensure ctx-&gt;rings is stable for task work flags manipulation<br /> <br /> If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while<br /> the ring is being resized, it&amp;#39;s possible for the OR&amp;#39;ing of<br /> IORING_SQ_TASKRUN to happen in the small window of swapping into the<br /> new rings and the old rings being freed.<br /> <br /> Prevent this by adding a 2nd -&gt;rings pointer, -&gt;rings_rcu, which is<br /> protected by RCU. The task work flags manipulation is inside RCU<br /> already, and if the resize ring freeing is done post an RCU synchronize,<br /> then there&amp;#39;s no need to add locking to the fast path of task work<br /> additions.<br /> <br /> Note: this is only done for DEFER_TASKRUN, as that&amp;#39;s the only setup mode<br /> that supports ring resizing. If this ever changes, then they too need to<br /> use the io_ctx_mark_taskrun() helper.