{
  "threat_severity" : "Moderate",
  "public_date" : "2025-07-03T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel io_uring: Local privilege escalation, information disclosure, or denial of service via use-after-free",
    "id" : "2376077",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2376077"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-911",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nio_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()\nsyzbot reports:\nBUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60\nRead of size 8 at addr ffff88810de2d2c8 by task a.out/304\nCPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary)\nHardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl+0x53/0x70\nprint_report+0xd0/0x670\n? __pfx__raw_spin_lock_irqsave+0x10/0x10\n? getrusage+0x1109/0x1a60\nkasan_report+0xce/0x100\n? getrusage+0x1109/0x1a60\ngetrusage+0x1109/0x1a60\n? __pfx_getrusage+0x10/0x10\n__io_uring_show_fdinfo+0x9fe/0x1790\n? ksys_read+0xf7/0x1c0\n? do_syscall_64+0xa4/0x260\n? vsnprintf+0x591/0x1100\n? __pfx___io_uring_show_fdinfo+0x10/0x10\n? __pfx_vsnprintf+0x10/0x10\n? mutex_trylock+0xcf/0x130\n? __pfx_mutex_trylock+0x10/0x10\n? __pfx_show_fd_locks+0x10/0x10\n? io_uring_show_fdinfo+0x57/0x80\nio_uring_show_fdinfo+0x57/0x80\nseq_show+0x38c/0x690\nseq_read_iter+0x3f7/0x1180\n? inode_set_ctime_current+0x160/0x4b0\nseq_read+0x271/0x3e0\n? __pfx_seq_read+0x10/0x10\n? __pfx__raw_spin_lock+0x10/0x10\n? __mark_inode_dirty+0x402/0x810\n? selinux_file_permission+0x368/0x500\n? file_update_time+0x10f/0x160\nvfs_read+0x177/0xa40\n? __pfx___handle_mm_fault+0x10/0x10\n? __pfx_vfs_read+0x10/0x10\n? mutex_lock+0x81/0xe0\n? __pfx_mutex_lock+0x10/0x10\n? fdget_pos+0x24d/0x4b0\nksys_read+0xf7/0x1c0\n? __pfx_ksys_read+0x10/0x10\n? do_user_addr_fault+0x43b/0x9c0\ndo_syscall_64+0xa4/0x260\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0f74170fc9\nCode: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8\nRSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9\nRDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004\nRBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90\nR10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n</TASK>\nAllocated by task 298:\nkasan_save_stack+0x33/0x60\nkasan_save_track+0x14/0x30\n__kasan_slab_alloc+0x6e/0x70\nkmem_cache_alloc_node_noprof+0xe8/0x330\ncopy_process+0x376/0x5e00\ncreate_io_thread+0xab/0xf0\nio_sq_offload_create+0x9ed/0xf20\nio_uring_setup+0x12b0/0x1cc0\ndo_syscall_64+0xa4/0x260\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nFreed by task 22:\nkasan_save_stack+0x33/0x60\nkasan_save_track+0x14/0x30\nkasan_save_free_info+0x3b/0x60\n__kasan_slab_free+0x37/0x50\nkmem_cache_free+0xc4/0x360\nrcu_core+0x5ff/0x19f0\nhandle_softirqs+0x18c/0x530\nrun_ksoftirqd+0x20/0x30\nsmpboot_thread_fn+0x287/0x6c0\nkthread+0x30d/0x630\nret_from_fork+0xef/0x1a0\nret_from_fork_asm+0x1a/0x30\nLast potentially related work creation:\nkasan_save_stack+0x33/0x60\nkasan_record_aux_stack+0x8c/0xa0\n__call_rcu_common.constprop.0+0x68/0x940\n__schedule+0xff2/0x2930\n__cond_resched+0x4c/0x80\nmutex_lock+0x5c/0xe0\nio_uring_del_tctx_node+0xe1/0x2b0\nio_uring_clean_tctx+0xb7/0x160\nio_uring_cancel_generic+0x34e/0x760\ndo_exit+0x240/0x2350\ndo_group_exit+0xab/0x220\n__x64_sys_exit_group+0x39/0x40\nx64_sys_call+0x1243/0x1840\ndo_syscall_64+0xa4/0x260\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nThe buggy address belongs to the object at ffff88810de2cb00\nwhich belongs to the cache task_struct of size 3712\nThe buggy address is located 1992 bytes inside of\nfreed 3712-byte region [ffff88810de2cb00, ffff88810de2d980)\nwhich is caused by the task_struct pointed to by sq->thread being\nreleased while it is being used in the function\n__io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre\nrelase or exit of sq->thread.\nFix this by assigning and looking up ->thread under RCU, and grabbing a\nreference to the task_struct. This e\n---truncated---", "A flaw was found in the Linux kernel's io_uring subsystem. A local attacker with low privileges could exploit a use-after-free vulnerability when the `sq->thread` object is prematurely released while still being accessed by the `__io_uring_show_fdinfo()` function. This flaw could lead to privilege escalation, allowing the attacker to execute arbitrary code, disclose sensitive information, or cause a system-wide denial of service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:4012",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.43.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-03-03T00:00:00Z",
    "advisory" : "RHSA-2026:3579",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.62.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:3966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.38.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:3966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.38.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-02-23T00:00:00Z",
    "advisory" : "RHSA-2026:3088",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.92.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38106\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38106\nhttps://lore.kernel.org/linux-cve-announce/2025070322-CVE-2025-38106-8de3@gregkh/T" ],
  "name" : "CVE-2025-38106",
  "csaw" : false
}