On Mon, May 04, 2026 at 07:02:30AM +0100, Pavel Begunkov wrote: > On 5/3/26 12:00, Mohamed salem Eddah wrote: > >I am reporting a security issue in the Linux kernel involving an > >out-of-bounds heap write in io_uring/zcrx.c. > > > >This issue appears to have been addressed in commit 770594e > >(“io_uring/zcrx: warn on freelist violations”, April 21, 2026), > >however it > >was not assigned a CVE and does not appear to have been included in a > >formal security advisory. As a result, multiple stable and downstream > >distribution kernels are still affected. > >------------------------------ > >Vulnerability Summary > > > >*File:* io_uring/zcrx.c > >*Function:* io_zcrx_return_niov_freelist() > >*Introduced:* Linux 6.12 (initial ZCRX merge) > > FWIW, it was added IIRC in 6.15, but not 6.12 > > >*Fixed upstream:* 770594e (Apr 21, 2026) > >*Status:* Fix not yet present in stable releases > Did you trigger the problem or the warning in a new kernel > without the attached modules? Which kernel version / hash > was it? There was a fix for the scrub case, but otherwise > don't immediately see how that can happen. I'll take a look.
I only skimmed, but as far as I can tell Mohamed isn't the original finder of this issue and the report and PoCs are AI-generated, which could be why Mohamed is not communicating further. It's becoming a trend - someone sends AI-generated report and doesn't communicate. Which doesn't mean the report is useless, but it does complicate its handling. Meanwhile, it looks like there's a blog post (by someone else? I am confused) on exploitation of this issue, with exploit files attached: https://ze3tar.github.io/post-zcrx.html Alexander
