HIGH 7.8

CVE-2026-46274: Linux Kernel I/O Work Queue Use-After-Free Privilege Escalation

A memory safety bug exists in the Linux kernel's I/O work queue subsystem that can allow a local attacker with user privileges to corrupt kernel memory and crash the system or gain elevated privileges. The vulnerability arises from incomplete validation when removing pending work items from the queue, causing the kernel to retain a dangling pointer to freed memory. When that corrupted pointer is subsequently accessed, it can trigger a write to already-freed kernel structures, leading to heap corruption and potential privilege escalation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
11 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: io-wq: check that the predecessor is hashed in io_wq_remove_pending() io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled work was the tail of its hash bucket. When doing this, it checks whether the preceding entry in acct->work_list has the same hash value, but never checks that the predecessor is hashed at all. io_get_work_hash() is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash bits are never set for non-hashed work, so it returns 0. Thus, when a hashed bucket-0 work is cancelled while a non-hashed work is its list predecessor, the check spuriously passes and a pointer to the non-hashed io_kiocb is stored in wq->hash_tail[0]. Because non-hashed work is dequeued via the fast path in io_get_next_work(), which never touches hash_tail[], the stale pointer is never cleared. Therefore, after the non-hashed io_kiocb completes and is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The io_wq is per-task (tctx->io_wq) and survives ring open/close, so the dangling pointer persists for the lifetime of the task; the next hashed bucket-0 enqueue dereferences it in io_wq_insert_work() and wq_list_add_after() writes through freed memory. Add the missing io_wq_is_hashed() check so a non-hashed predecessor never inherits a hash_tail[] slot.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The io_wq_remove_pending() function in the Linux kernel's I/O work queue implementation has a use-after-free vulnerability (CWE-416). When cancelling a hashed work item that is the tail of its hash bucket, the code checks if the predecessor has the same hash value to potentially update the tail pointer. However, it fails to verify that the predecessor is actually hashed before inheriting the tail slot. Since non-hashed work items have zero hash bits, io_get_work_hash() returns 0 for them, allowing the spurious check to pass. This causes a pointer to a non-hashed io_kiocb to be stored in wq->hash_tail[]. Non-hashed work is dequeued via the fast path which never touches hash_tail[], leaving the stale pointer uncleared. When the non-hashed io_kiocb is freed back to the slab allocator, wq->hash_tail[] becomes a dangling pointer that persists across the task's lifetime. Subsequent hashed bucket-0 enqueues then dereference and write through this freed memory in io_wq_insert_work() and wq_list_add_after().

Business impact

This vulnerability enables local privilege escalation on Linux systems where unprivileged users can trigger I/O work queue operations. An attacker with user-level access can corrupt kernel heap memory, leading to denial of service or privilege escalation to root. Since the I/O work queue is per-task and survives ring open/close cycles, exploitation can occur repeatedly within a single user session. Any system allowing untrusted local users—including shared hosting, multi-tenant containers, and development machines—faces material risk of total compromise.

Affected systems

The Linux kernel is affected. The vulnerability impacts all kernel versions that include the vulnerable io_wq_remove_pending() implementation, which handles work cancellation in the asynchronous I/O subsystem. Verify your kernel version against vendor advisories and patch release notes to determine exact affected versions and remediation availability.

Exploitability

Exploitation requires local code execution with user-level privileges (not root). The attack surface is broad: any application using Linux asynchronous I/O (aio) or io_uring can trigger the vulnerable code path. An attacker would craft I/O operations that queue hashed work followed by non-hashed work, then cancel the hashed work to trigger the memory corruption. No user interaction is required. The kernel is actively running with full access to exploit the corrupted memory, making weaponization to achieve privilege escalation or denial of service practical.

Remediation

Apply the upstream Linux kernel patch that adds the missing io_wq_is_hashed() validation check in io_wq_remove_pending(). This ensures that only hashed predecessors can inherit tail pointer slots, preventing non-hashed io_kiocb pointers from being stored in wq->hash_tail[]. Verify against the official Linux kernel patches and your distribution's security advisory for the exact version containing the fix and your deployment timeline.

Patch guidance

Check your Linux distribution's security bulletin for the patched kernel version. Most distributions backport critical fixes to their maintained kernel branches. Prioritize kernel updates on systems with untrusted local users. Testing in a staging environment is recommended before production deployment. Verify the patch is applied by checking kernel version information post-update. If kernel live-patching is available, use it to minimize downtime on critical systems.

Detection guidance

Monitor system logs for kernel panics, out-of-memory errors, or unexpected segmentation faults in kernel context, as these may indicate heap corruption from this vulnerability. Watch for suspicious patterns of I/O operations from non-system processes that rapidly enqueue and cancel work items. Memory sanitizers and kernel debugging (KASAN, UBSAN) can detect the use-after-free if enabled, showing freed-memory writes in the io_wq code path. However, on production systems without special instrumentation, exploitation may be difficult to detect in real-time; focus instead on rapid patching.

Why prioritize this

HIGH severity (CVSS 7.8) with local privilege escalation capability warrants urgent patching. The vulnerability requires only user-level access and affects a fundamental kernel subsystem (I/O queuing) used by many applications. The memory corruption is deterministic and exploitable. Not yet in the CISA KEV catalog, but the technical characteristics make it a credible exploit target. Organizations should prioritize Linux kernel updates for systems with untrusted local users.

Risk score, explained

CVSS 3.1 score of 7.8 reflects: local attack vector (AV:L) requiring user privileges but no special access (PR:L); low complexity (AC:L); negligible user interaction (UI:N); impact isolated to a single system (S:U); and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately captures the severity of local heap corruption with privilege escalation implications, though organizations in high-trust environments may tolerate slightly elevated risk compared to those with adversarial multi-tenant workloads.

Frequently asked questions

Can this be exploited remotely?

No. This vulnerability requires local code execution on the affected system. The attacker must be able to run code with user privileges on the machine. However, containerization does not fully isolate the kernel, so container escape techniques could be combined with this flaw.

Do I need to reboot to apply the patch?

Yes. Linux kernel patches require a reboot to take effect in the running kernel. Some distributions offer live-patching tools that can apply security patches without a reboot, but traditional patching necessitates downtime. Plan maintenance windows accordingly.

What applications are most at risk?

Any application using Linux asynchronous I/O (aio) or io_uring is potentially affected. This includes database systems, high-performance web servers, and custom application code that directly leverages AIO. Verify with your application vendor whether they use these subsystems and request guidance on patch testing.

Is there a workaround if I cannot patch immediately?

No reliable workaround exists. Restricting local user access (e.g., disabling untrusted user accounts or limiting container permissions) reduces exposure, but does not eliminate risk if users must have some level of code execution. Prioritize patching over extended mitigation strategies.

This analysis is based on the published CVE description and CVSS assessment. Specific kernel versions affected and patch availability vary by Linux distribution. Consult your vendor's official security advisory for version information, patch timelines, and support status. No proof-of-concept or exploit code is provided in this analysis. Organizations should validate patch applicability and test in non-production environments before deployment. SEC.co makes no warranty regarding the completeness or applicability of this analysis to your specific environment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).