| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026012328-CVE-2025-71149-c9ee@gregkh> Date: Fri, 23 Jan 2026 15:15:29 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-71149: io_uring/poll: correctly handle io_poll_add() return value on update From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted. Additionally, ensure that if an update does cause an existing POLL_ADD to complete, that the completion value isn't always overwritten with -ECANCELED. For that case, whatever io_poll_add() set the value to should just be retained. The Linux kernel CVE team has assigned CVE-2025-71149 to this issue. Affected and fixed versions =========================== Issue introduced in 6.0 with commit 97b388d70b53fd7d286ac1b81e5a88bd6af98209 and fixed in 6.1.160 with commit 8b777ab48441b153502772ecfc78c107d4353f29 Issue introduced in 6.0 with commit 97b388d70b53fd7d286ac1b81e5a88bd6af98209 and fixed in 6.6.120 with commit 0126560370ed5217958b85657b590ad25e8b9c00 Issue introduced in 6.0 with commit 97b388d70b53fd7d286ac1b81e5a88bd6af98209 and fixed in 6.12.64 with commit c1669c03bfbc2a9b5ebff4428eecebe734c646fe Issue introduced in 6.0 with commit 97b388d70b53fd7d286ac1b81e5a88bd6af98209 and fixed in 6.18.3 with commit 13a8f7b88c2d40c6b33f6216190478dda95d385f Issue introduced in 6.0 with commit 97b388d70b53fd7d286ac1b81e5a88bd6af98209 and fixed in 6.19-rc1 with commit 84230ad2d2afbf0c44c32967e525c0ad92e26b4e Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71149 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: io_uring/poll.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/8b777ab48441b153502772ecfc78c107d4353f29 https://git.kernel.org/stable/c/0126560370ed5217958b85657b590ad25e8b9c00 https://git.kernel.org/stable/c/c1669c03bfbc2a9b5ebff4428eecebe734c646fe https://git.kernel.org/stable/c/13a8f7b88c2d40c6b33f6216190478dda95d385f https://git.kernel.org/stable/c/84230ad2d2afbf0c44c32967e525c0ad92e26b4e
Powered by blists - more mailing lists