io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries
Summary
| CVE | CVE-2026-53191 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-25 09:16:36 UTC |
| Updated | 2026-06-25 09:16:36 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries When a bundle recv retries inside io_recv_finish(), the merge logic OR the saved cflags from the previous iteration with the cflags returned by the new iteration: cflags = req->cqe.flags | (cflags & CQE_F_MASK); Bits listed in CQE_F_MASK are inherited from the new iteration, and all other bits (notably IORING_CQE_F_BUFFER and the buffer ID) come from the saved cflags. Before this change CQE_F_MASK covered only IORING_CQE_F_SOCK_NONEMPTY and IORING_CQE_F_MORE. When using provided buffer rings (IOU_PBUF_RING_INC) with incremental mode, and bundle recv, io_kbuf_inc_commit() can leave the head ring entry partially consumed, __io_put_kbufs() then sets IORING_CQE_F_BUF_MORE on the returned cflags so userspace knows the buffer ID will be reused for subsequent completions. Because IORING_CQE_F_BUF_MORE was not in CQE_F_MASK, the merge above silently dropped it whenever the final retry iteration partially consumed the buffer, and the subsequent req->cqe.flags = cflags & ~CQE_F_MASK save would have left a stale IORING_CQE_F_BUF_MORE in the carried-over cflags had one been present. Userspace would then wrongfully advance it ring head past an entry the kernel still uses. Add IORING_CQE_F_BUF_MORE to CQE_F_MASK so it is both inherited from the new iteration into the user-visible CQE and stripped from the saved cflags between iterations. |
Risk And Classification
EPSS: 0.001750000 probability, percentile 0.072470000 (date 2026-06-27)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected ae98dbf43d755b4e111fcd086e53939bef3e9a1a f40570fda3f3a1f96aeaa4aef665ba274b2810b5 git | Not specified |
| CNA | Linux | Linux | affected ae98dbf43d755b4e111fcd086e53939bef3e9a1a 0bbc9481f970b0b4ddb08cfa464db1cc93b74b56 git | Not specified |
| CNA | Linux | Linux | affected ae98dbf43d755b4e111fcd086e53939bef3e9a1a 4973232a67e4137ab9399f504f7f2bdd847f96d2 git | Not specified |
| CNA | Linux | Linux | affected ae98dbf43d755b4e111fcd086e53939bef3e9a1a ed46f39c47eb5530a9c161481a2080d3a869cfaf git | Not specified |
| CNA | Linux | Linux | affected 6.12 | Not specified |
| CNA | Linux | Linux | unaffected 6.12 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.94 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.36 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.13 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/f40570fda3f3a1f96aeaa4aef665ba274b2810b5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/ed46f39c47eb5530a9c161481a2080d3a869cfaf | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/0bbc9481f970b0b4ddb08cfa464db1cc93b74b56 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/4973232a67e4137ab9399f504f7f2bdd847f96d2 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.