CVE Catalog

CVE-2026-46315

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

5th percentile - higher than 5% of all known CVEs

Summary

In the Linux kernel, a vulnerability was found in the io_uring subsystem for IORING_OP_WAITID. The result structure (io_waitid::info) was not initialized before copying to userspace, potentially leaking uninitialized kernel memory.

Risk Assessment

The risk involves potential disclosure of sensitive kernel memory to userspace, which could allow a local attacker to read confidential information or bypass security mechanisms.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit that clears io_waitid::info before copying). Monitor official security advisories from your Linux distribution.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: clear waitid info before copying it to userspace IORING_OP_WAITID stores its result fields in struct io_waitid::info and later copies them to userspace siginfo. The prep path initializes the request arguments, but it does not initialize info itself. If the wait operation completes without reporting a child event, the common wait code can return without writing wo_info. In that case io_waitid_finish() still copies iw->info to userspace, exposing stale bytes from the reused io_kiocb command storage. Clear the result storage during prep so the io_uring path matches the regular waitid syscall, which uses a zero-initialized struct waitid_info.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS