CVE-2026-46315

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/waitid: clear waitid info before copying it to userspace<br /> <br /> IORING_OP_WAITID stores its result fields in struct io_waitid::info and<br /> later copies them to userspace siginfo. The prep path initializes the<br /> request arguments, but it does not initialize info itself.<br /> <br /> If the wait operation completes without reporting a child event, the common<br /> wait code can return without writing wo_info. In that case io_waitid_finish()<br /> still copies iw-&gt;info to userspace, exposing stale bytes from the reused<br /> io_kiocb command storage.<br /> <br /> Clear the result storage during prep so the io_uring path matches the<br /> regular waitid syscall, which uses a zero-initialized struct waitid_info.