CVE-2026-52933
HIGHio_uring/poll: fix signed comparison in io_poll_get_ownership()
Title source: cnaDescription
In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: fix signed comparison in io_poll_get_ownership() io_poll_get_ownership() uses a signed comparison to check whether poll_refs has reached the threshold for the slowpath: if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG (BIT(31)) is set in poll_refs, the value becomes negative in signed arithmetic, so the >= 128 comparison always evaluates to false and the slowpath is never taken. Fix this by casting the atomic_read() result to unsigned int before the comparison, so that the cancel flag is treated as a large positive value and correctly triggers the slowpath.
References (6)
Core 6
Core References
Scores
CVSS v3
7.8
EPSS
0.0012
EPSS Percentile
2.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-835
Status
published
Products (25)
linux/Kernel
6.1.0 - 6.1.175linux
linux/Kernel
6.13.0 - 6.18.27linux
linux/Kernel
6.19.0 - 7.0.4linux
linux/Kernel
6.2.0 - 6.6.140linux
linux/Kernel
6.7.0 - 6.12.86linux
Linux/Linux
< 6.1
Linux/Linux
4b702b7d11ce1b9d26fc6d7c5a7ef4ac1d455048
Linux/Linux
5.15.82 - 5.16
Linux/Linux
6.0.11 - 6.1
Linux/Linux
6.1
... and 15 more
Published
Jun 24, 2026
Tracked Since
Jun 24, 2026