Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-46274

Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-416 Utilización después de liberación
Fecha de publicación:
08/06/2026
Última modificación:
08/07/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io-wq: check that the predecessor is hashed in io_wq_remove_pending()<br /> <br /> io_wq_remove_pending() needs to fix up wq-&gt;hash_tail[] if the cancelled<br /> work was the tail of its hash bucket. When doing this, it checks whether<br /> the preceding entry in acct-&gt;work_list has the same hash value, but<br /> never checks that the predecessor is hashed at all. io_get_work_hash()<br /> is simply atomic_read(&amp;work-&gt;flags) &gt;&gt; IO_WQ_HASH_SHIFT, and the hash<br /> bits are never set for non-hashed work, so it returns 0. Thus, when a<br /> hashed bucket-0 work is cancelled while a non-hashed work is its list<br /> predecessor, the check spuriously passes and a pointer to the non-hashed<br /> io_kiocb is stored in wq-&gt;hash_tail[0].<br /> <br /> Because non-hashed work is dequeued via the fast path in<br /> io_get_next_work(), which never touches hash_tail[], the stale pointer<br /> is never cleared. Therefore, after the non-hashed io_kiocb completes and<br /> is freed back to req_cachep, wq-&gt;hash_tail[0] is a dangling pointer. The<br /> io_wq is per-task (tctx-&gt;io_wq) and survives ring open/close, so the<br /> dangling pointer persists for the lifetime of the task; the next hashed<br /> bucket-0 enqueue dereferences it in io_wq_insert_work() and<br /> wq_list_add_after() writes through freed memory.<br /> <br /> Add the missing io_wq_is_hashed() check so a non-hashed predecessor<br /> never inherits a hash_tail[] slot.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.8.6 (incluyendo) 5.9 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.9.1 (incluyendo) 6.6.141 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (incluyendo) 6.12.91 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (incluyendo) 6.18.33 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 7.0.10 (excluyendo)
cpe:2.3:o:linux:linux_kernel:5.9:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.9:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.9:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.9:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.9:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.9:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.9:rc8:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*