CVE-2026-46315
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
In the Linux kernel, a vulnerability was found in the io_uring subsystem for IORING_OP_WAITID. The result structure (io_waitid::info) was not initialized before copying to userspace, potentially leaking uninitialized kernel memory.
Risk Assessment
The risk involves potential disclosure of sensitive kernel memory to userspace, which could allow a local attacker to read confidential information or bypass security mechanisms.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit that clears io_waitid::info before copying). Monitor official security advisories from your Linux distribution.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: clear waitid info before copying it to userspace IORING_OP_WAITID stores its result fields in struct io_waitid::info and later copies them to userspace siginfo. The prep path initializes the request arguments, but it does not initialize info itself. If the wait operation completes without reporting a child event, the common wait code can return without writing wo_info. In that case io_waitid_finish() still copies iw->info to userspace, exposing stale bytes from the reused io_kiocb command storage. Clear the result storage during prep so the io_uring path matches the regular waitid syscall, which uses a zero-initialized struct waitid_info.

