In the Linux kernel, the following vulnerability has been resolved:
iouring/net: inherit IORINGCQEFBUF_MORE across bundle recv retries
When a bundle recv retries inside iorecvfinish(), the merge logic OR the saved cflags from the previous iteration with the cflags returned by the new iteration: cflags = req->cqe.flags | (cflags & CQEFMASK);
Bits listed in CQEFMASK are inherited from the new iteration, and all other bits (notably IORINGCQEFBUFFER and the buffer ID) come from the saved cflags. Before this change CQEFMASK covered only IORINGCQEFSOCKNONEMPTY and IORINGCQEFMORE.
When using provided buffer rings (IOUPBUFRINGINC) with incremental mode, and bundle recv, iokbufinccommit() can leave the head ring entry partially consumed, __ioputkbufs() then sets IORINGCQEFBUFMORE on the returned cflags so userspace knows the buffer ID will be reused for subsequent completions.
Because IORINGCQEFBUFMORE was not in CQEFMASK, the merge above silently dropped it whenever the final retry iteration partially consumed the buffer, and the subsequent req->cqe.flags = cflags & ~CQEFMASK save would have left a stale IORINGCQEFBUFMORE in the carried-over cflags had one been present. Userspace would then wrongfully advance it ring head past an entry the kernel still uses.
Add IORINGCQEFBUFMORE to CQEFMASK so it is both inherited from the new iteration into the user-visible CQE and stripped from the saved cflags between iterations.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53191.json",
"cna_assigner": "Linux"
}