In the Linux kernel, the following vulnerability has been resolved:
io_uring/waitid: clear waitid info before copying it to userspace
IORINGOPWAITID stores its result fields in struct io_waitid::info and later copies them to userspace siginfo. The prep path initializes the request arguments, but it does not initialize info itself.
If the wait operation completes without reporting a child event, the common wait code can return without writing woinfo. In that case iowaitidfinish() still copies iw->info to userspace, exposing stale bytes from the reused iokiocb command storage.
Clear the result storage during prep so the iouring path matches the regular waitid syscall, which uses a zero-initialized struct waitidinfo.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46315.json",
"cna_assigner": "Linux"
}