On Mon, May 04, 2026 at 07:02:30AM +0100, Pavel Begunkov wrote:
> On 5/3/26 12:00, Mohamed salem Eddah wrote:
> >I am reporting a security issue in the Linux kernel involving an
> >out-of-bounds heap write in io_uring/zcrx.c.
> >
> >This issue appears to have been addressed in commit 770594e
> >(“io_uring/zcrx: warn on freelist violations”, April 21, 2026), 
> >however it
> >was not assigned a CVE and does not appear to have been included in a
> >formal security advisory. As a result, multiple stable and downstream
> >distribution kernels are still affected.
> >------------------------------
> >Vulnerability Summary
> >
> >*File:* io_uring/zcrx.c
> >*Function:* io_zcrx_return_niov_freelist()
> >*Introduced:* Linux 6.12 (initial ZCRX merge)
> 
> FWIW, it was added IIRC in 6.15, but not 6.12
> 
> >*Fixed upstream:* 770594e (Apr 21, 2026)
> >*Status:* Fix not yet present in stable releases
> Did you trigger the problem or the warning in a new kernel
> without the attached modules? Which kernel version / hash
> was it? There was a fix for the scrub case, but otherwise
> don't immediately see how that can happen. I'll take a look.

I only skimmed, but as far as I can tell Mohamed isn't the original
finder of this issue and the report and PoCs are AI-generated, which
could be why Mohamed is not communicating further.  It's becoming a
trend - someone sends AI-generated report and doesn't communicate.
Which doesn't mean the report is useless, but it does complicate its
handling.

Meanwhile, it looks like there's a blog post (by someone else? I am
confused) on exploitation of this issue, with exploit files attached:

https://ze3tar.github.io/post-zcrx.html

Alexander

Reply via email to