{"api_version":"1","generated_at":"2026-06-28T04:41:34+00:00","cve":"CVE-2026-53191","urls":{"html":"https://cve.report/CVE-2026-53191","api":"https://cve.report/api/cve/CVE-2026-53191.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53191","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53191"},"summary":{"title":"io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries\n\nWhen a bundle recv retries inside io_recv_finish(), the merge logic OR\nthe saved cflags from the previous iteration with the cflags returned by\nthe new iteration:\n  cflags = req->cqe.flags | (cflags & CQE_F_MASK);\n\nBits listed in CQE_F_MASK are inherited from the new iteration, and all\nother bits (notably IORING_CQE_F_BUFFER and the buffer ID) come from the\nsaved cflags. Before this change CQE_F_MASK covered only\nIORING_CQE_F_SOCK_NONEMPTY and IORING_CQE_F_MORE.\n\nWhen using provided buffer rings (IOU_PBUF_RING_INC) with incremental\nmode, and bundle recv, io_kbuf_inc_commit() can leave the head ring\nentry partially consumed, __io_put_kbufs() then sets\nIORING_CQE_F_BUF_MORE on the returned cflags so userspace knows the\nbuffer ID will be reused for subsequent completions.\n\nBecause IORING_CQE_F_BUF_MORE was not in CQE_F_MASK, the merge above\nsilently dropped it whenever the final retry iteration partially\nconsumed the buffer, and the subsequent req->cqe.flags = cflags &\n~CQE_F_MASK save would have left a stale IORING_CQE_F_BUF_MORE in the\ncarried-over cflags had one been present. Userspace would then\nwrongfully advance it ring head past an entry the kernel still uses.\n\nAdd IORING_CQE_F_BUF_MORE to CQE_F_MASK so it is both inherited from the\nnew iteration into the user-visible CQE and stripped from the saved\ncflags between iterations.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-25 09:16:36","updated_at":"2026-06-25 09:16:36"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/f40570fda3f3a1f96aeaa4aef665ba274b2810b5","name":"https://git.kernel.org/stable/c/f40570fda3f3a1f96aeaa4aef665ba274b2810b5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ed46f39c47eb5530a9c161481a2080d3a869cfaf","name":"https://git.kernel.org/stable/c/ed46f39c47eb5530a9c161481a2080d3a869cfaf","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0bbc9481f970b0b4ddb08cfa464db1cc93b74b56","name":"https://git.kernel.org/stable/c/0bbc9481f970b0b4ddb08cfa464db1cc93b74b56","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4973232a67e4137ab9399f504f7f2bdd847f96d2","name":"https://git.kernel.org/stable/c/4973232a67e4137ab9399f504f7f2bdd847f96d2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53191","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53191","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ae98dbf43d755b4e111fcd086e53939bef3e9a1a f40570fda3f3a1f96aeaa4aef665ba274b2810b5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ae98dbf43d755b4e111fcd086e53939bef3e9a1a 0bbc9481f970b0b4ddb08cfa464db1cc93b74b56 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ae98dbf43d755b4e111fcd086e53939bef3e9a1a 4973232a67e4137ab9399f504f7f2bdd847f96d2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ae98dbf43d755b4e111fcd086e53939bef3e9a1a ed46f39c47eb5530a9c161481a2080d3a869cfaf git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.12","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"53191","cve":"CVE-2026-53191","epss":"0.001750000","percentile":"0.072470000","score_date":"2026-06-27","updated_at":"2026-06-28 00:08:50"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["io_uring/net.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"f40570fda3f3a1f96aeaa4aef665ba274b2810b5","status":"affected","version":"ae98dbf43d755b4e111fcd086e53939bef3e9a1a","versionType":"git"},{"lessThan":"0bbc9481f970b0b4ddb08cfa464db1cc93b74b56","status":"affected","version":"ae98dbf43d755b4e111fcd086e53939bef3e9a1a","versionType":"git"},{"lessThan":"4973232a67e4137ab9399f504f7f2bdd847f96d2","status":"affected","version":"ae98dbf43d755b4e111fcd086e53939bef3e9a1a","versionType":"git"},{"lessThan":"ed46f39c47eb5530a9c161481a2080d3a869cfaf","status":"affected","version":"ae98dbf43d755b4e111fcd086e53939bef3e9a1a","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["io_uring/net.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.12"},{"lessThan":"6.12","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","versionStartIncluding":"6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"6.12","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries\n\nWhen a bundle recv retries inside io_recv_finish(), the merge logic OR\nthe saved cflags from the previous iteration with the cflags returned by\nthe new iteration:\n  cflags = req->cqe.flags | (cflags & CQE_F_MASK);\n\nBits listed in CQE_F_MASK are inherited from the new iteration, and all\nother bits (notably IORING_CQE_F_BUFFER and the buffer ID) come from the\nsaved cflags. Before this change CQE_F_MASK covered only\nIORING_CQE_F_SOCK_NONEMPTY and IORING_CQE_F_MORE.\n\nWhen using provided buffer rings (IOU_PBUF_RING_INC) with incremental\nmode, and bundle recv, io_kbuf_inc_commit() can leave the head ring\nentry partially consumed, __io_put_kbufs() then sets\nIORING_CQE_F_BUF_MORE on the returned cflags so userspace knows the\nbuffer ID will be reused for subsequent completions.\n\nBecause IORING_CQE_F_BUF_MORE was not in CQE_F_MASK, the merge above\nsilently dropped it whenever the final retry iteration partially\nconsumed the buffer, and the subsequent req->cqe.flags = cflags &\n~CQE_F_MASK save would have left a stale IORING_CQE_F_BUF_MORE in the\ncarried-over cflags had one been present. Userspace would then\nwrongfully advance it ring head past an entry the kernel still uses.\n\nAdd IORING_CQE_F_BUF_MORE to CQE_F_MASK so it is both inherited from the\nnew iteration into the user-visible CQE and stripped from the saved\ncflags between iterations."}],"providerMetadata":{"dateUpdated":"2026-06-25T08:39:03.052Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/f40570fda3f3a1f96aeaa4aef665ba274b2810b5"},{"url":"https://git.kernel.org/stable/c/0bbc9481f970b0b4ddb08cfa464db1cc93b74b56"},{"url":"https://git.kernel.org/stable/c/4973232a67e4137ab9399f504f7f2bdd847f96d2"},{"url":"https://git.kernel.org/stable/c/ed46f39c47eb5530a9c161481a2080d3a869cfaf"}],"title":"io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53191","datePublished":"2026-06-25T08:39:03.052Z","dateReserved":"2026-06-09T07:44:35.390Z","dateUpdated":"2026-06-25T08:39:03.052Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 09:16:36","lastModifiedDate":"2026-06-25 09:16:36","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53191","Ordinal":"1","Title":"io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv r","CVE":"CVE-2026-53191","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53191","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries\n\nWhen a bundle recv retries inside io_recv_finish(), the merge logic OR\nthe saved cflags from the previous iteration with the cflags returned by\nthe new iteration:\n  cflags = req->cqe.flags | (cflags & CQE_F_MASK);\n\nBits listed in CQE_F_MASK are inherited from the new iteration, and all\nother bits (notably IORING_CQE_F_BUFFER and the buffer ID) come from the\nsaved cflags. Before this change CQE_F_MASK covered only\nIORING_CQE_F_SOCK_NONEMPTY and IORING_CQE_F_MORE.\n\nWhen using provided buffer rings (IOU_PBUF_RING_INC) with incremental\nmode, and bundle recv, io_kbuf_inc_commit() can leave the head ring\nentry partially consumed, __io_put_kbufs() then sets\nIORING_CQE_F_BUF_MORE on the returned cflags so userspace knows the\nbuffer ID will be reused for subsequent completions.\n\nBecause IORING_CQE_F_BUF_MORE was not in CQE_F_MASK, the merge above\nsilently dropped it whenever the final retry iteration partially\nconsumed the buffer, and the subsequent req->cqe.flags = cflags &\n~CQE_F_MASK save would have left a stale IORING_CQE_F_BUF_MORE in the\ncarried-over cflags had one been present. Userspace would then\nwrongfully advance it ring head past an entry the kernel still uses.\n\nAdd IORING_CQE_F_BUF_MORE to CQE_F_MASK so it is both inherited from the\nnew iteration into the user-visible CQE and stripped from the saved\ncflags between iterations.","Type":"Description","Title":"io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv r"}]}}}