CVE-2026-46274
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-416
Utilización después de liberación
Fecha de publicación:
08/06/2026
Última modificación:
08/07/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
io-wq: check that the predecessor is hashed in io_wq_remove_pending()<br />
<br />
io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled<br />
work was the tail of its hash bucket. When doing this, it checks whether<br />
the preceding entry in acct->work_list has the same hash value, but<br />
never checks that the predecessor is hashed at all. io_get_work_hash()<br />
is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash<br />
bits are never set for non-hashed work, so it returns 0. Thus, when a<br />
hashed bucket-0 work is cancelled while a non-hashed work is its list<br />
predecessor, the check spuriously passes and a pointer to the non-hashed<br />
io_kiocb is stored in wq->hash_tail[0].<br />
<br />
Because non-hashed work is dequeued via the fast path in<br />
io_get_next_work(), which never touches hash_tail[], the stale pointer<br />
is never cleared. Therefore, after the non-hashed io_kiocb completes and<br />
is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The<br />
io_wq is per-task (tctx->io_wq) and survives ring open/close, so the<br />
dangling pointer persists for the lifetime of the task; the next hashed<br />
bucket-0 enqueue dereferences it in io_wq_insert_work() and<br />
wq_list_add_after() writes through freed memory.<br />
<br />
Add the missing io_wq_is_hashed() check so a non-hashed predecessor<br />
never inherits a hash_tail[] slot.
Impacto
Puntuación base 3.x
7.80
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.8.6 (incluyendo) | 5.9 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.9.1 (incluyendo) | 6.6.141 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.91 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.33 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.10 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:5.9:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.9:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.9:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.9:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.9:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.9:rc7:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.9:rc8:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/252c5051dba9c709b6a72f2866f93e5e618b3f06
- https://git.kernel.org/stable/c/5a20ebf0c81b61f5ea3b1b529c100cad69b9f603
- https://git.kernel.org/stable/c/d376c131af7c7739a87ff037ed2fdb67c2542c8a
- https://git.kernel.org/stable/c/d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc
- https://git.kernel.org/stable/c/d6bda9df0c0a3080804181464d5c0f4d78a4e769



