CVE-2026-52933

HIGH

io_uring/poll: fix signed comparison in io_poll_get_ownership()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: fix signed comparison in io_poll_get_ownership() io_poll_get_ownership() uses a signed comparison to check whether poll_refs has reached the threshold for the slowpath: if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG (BIT(31)) is set in poll_refs, the value becomes negative in signed arithmetic, so the >= 128 comparison always evaluates to false and the slowpath is never taken. Fix this by casting the atomic_read() result to unsigned int before the comparison, so that the cancel flag is treated as a large positive value and correctly triggers the slowpath.

Scores

CVSS v3 7.8
EPSS 0.0012
EPSS Percentile 2.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-835
Status published
Products (25)
linux/Kernel 6.1.0 - 6.1.175linux
linux/Kernel 6.13.0 - 6.18.27linux
linux/Kernel 6.19.0 - 7.0.4linux
linux/Kernel 6.2.0 - 6.6.140linux
linux/Kernel 6.7.0 - 6.12.86linux
Linux/Linux < 6.1
Linux/Linux 4b702b7d11ce1b9d26fc6d7c5a7ef4ac1d455048
Linux/Linux 5.15.82 - 5.16
Linux/Linux 6.0.11 - 6.1
Linux/Linux 6.1
... and 15 more
Published Jun 24, 2026
Tracked Since Jun 24, 2026