CVE-2026-53191

Source
https://cve.org/CVERecord?id=CVE-2026-53191
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53191.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53191
Downstream
Related
Published
2026-06-25T08:39:03.052Z
Modified
2026-07-08T08:09:46.762056689Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries
Details

In the Linux kernel, the following vulnerability has been resolved:

iouring/net: inherit IORINGCQEFBUF_MORE across bundle recv retries

When a bundle recv retries inside iorecvfinish(), the merge logic OR the saved cflags from the previous iteration with the cflags returned by the new iteration: cflags = req->cqe.flags | (cflags & CQEFMASK);

Bits listed in CQEFMASK are inherited from the new iteration, and all other bits (notably IORINGCQEFBUFFER and the buffer ID) come from the saved cflags. Before this change CQEFMASK covered only IORINGCQEFSOCKNONEMPTY and IORINGCQEFMORE.

When using provided buffer rings (IOUPBUFRINGINC) with incremental mode, and bundle recv, iokbufinccommit() can leave the head ring entry partially consumed, __ioputkbufs() then sets IORINGCQEFBUFMORE on the returned cflags so userspace knows the buffer ID will be reused for subsequent completions.

Because IORINGCQEFBUFMORE was not in CQEFMASK, the merge above silently dropped it whenever the final retry iteration partially consumed the buffer, and the subsequent req->cqe.flags = cflags & ~CQEFMASK save would have left a stale IORINGCQEFBUFMORE in the carried-over cflags had one been present. Userspace would then wrongfully advance it ring head past an entry the kernel still uses.

Add IORINGCQEFBUFMORE to CQEFMASK so it is both inherited from the new iteration into the user-visible CQE and stripped from the saved cflags between iterations.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53191.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ae98dbf43d755b4e111fcd086e53939bef3e9a1a
Fixed
f40570fda3f3a1f96aeaa4aef665ba274b2810b5
Fixed
0bbc9481f970b0b4ddb08cfa464db1cc93b74b56
Fixed
4973232a67e4137ab9399f504f7f2bdd847f96d2
Fixed
ed46f39c47eb5530a9c161481a2080d3a869cfaf

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53191.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53191.json"