On 5/3/26 12:00, Mohamed salem Eddah wrote:
Hello,
I am reporting a security issue in the Linux kernel involving an
out-of-bounds heap write in io_uring/zcrx.c.
This issue appears to have been addressed in commit 770594e
(“io_uring/zcrx: warn on freelist violations”, April 21, 2026), however it
was not assigned a CVE and does not appear to have been included in a
formal security advisory. As a result, multiple stable and downstream
distribution kernels are still affected.
------------------------------
Vulnerability Summary
*File:* io_uring/zcrx.c
*Function:* io_zcrx_return_niov_freelist()
*Introduced:* Linux 6.12 (initial ZCRX merge)
FWIW, it was added IIRC in 6.15, but not 6.12
*Fixed upstream:* 770594e (Apr 21, 2026)
*Status:* Fix not yet present in stable releases
Did you trigger the problem or the warning in a new kernel
without the attached modules? Which kernel version / hash
was it? There was a fix for the scrub case, but otherwise
don't immediately see how that can happen. I'll take a look.
--
Pavel Begunkov