On 5/3/26 12:00, Mohamed salem Eddah wrote:
Hello,

I am reporting a security issue in the Linux kernel involving an
out-of-bounds heap write in io_uring/zcrx.c.

This issue appears to have been addressed in commit 770594e
(“io_uring/zcrx: warn on freelist violations”, April 21, 2026), however it
was not assigned a CVE and does not appear to have been included in a
formal security advisory. As a result, multiple stable and downstream
distribution kernels are still affected.
------------------------------
Vulnerability Summary

*File:* io_uring/zcrx.c
*Function:* io_zcrx_return_niov_freelist()
*Introduced:* Linux 6.12 (initial ZCRX merge)

FWIW, it was added IIRC in 6.15, but not 6.12

*Fixed upstream:* 770594e (Apr 21, 2026)
*Status:* Fix not yet present in stable releases
Did you trigger the problem or the warning in a new kernel
without the attached modules? Which kernel version / hash
was it? There was a fix for the scrub case, but otherwise
don't immediately see how that can happen. I'll take a look.

--
Pavel Begunkov

Reply via email to