CVE-2026-45995— io_uring/zcrx: fix user_struct uaf

AI Predicted 7.8 Difficulty: Hard EPSS 0.02% · P5 Updated May 27, 2026

Possible ATT&CK Techniques 1AI

T1203 · Exploitation for Client Execution

Affected Version Matrix 6

Vendor	Product	Version Range	Status
Linux	Linux	`5c686456a4e83ef06c74d40be05c21a0ef136684< 9feb88eeda6d288f93fcfb6bca563f89e316479d`	affected
		`5c686456a4e83ef06c74d40be05c21a0ef136684< 0fcccfd87152f957fa8312b841f6efef42a05a20`	affected
		`6.19`	affected
		`< 6.19`	unaffected
		`7.0.4≤ 7.0.*`	unaffected
		`7.1-rc1≤ *`	unaffected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-45995

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

io_uring/zcrx: fix user_struct uaf

Source: NVD (National Vulnerability Database)

Vulnerability Description

In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_struct uaf io_free_rbuf_ring() usees a struct user_struct, which io_zcrx_ifq_free() puts it down before destroying the ring.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Title

Linux kernel 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞，该漏洞源于io_uring zcrx中io_free_rbuf_ring函数在销毁环前释放用户结构，可能导致释放后重用。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Linux	Linux	5c686456a4e83ef06c74d40be05c21a0ef136684 ~ 9feb88eeda6d288f93fcfb6bca563f89e316479d	-
Linux	Linux	6.19	-

II. Public POCs for CVE-2026-45995

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-45995

请登录查看更多情报信息。

Patches & Fixes for CVE-2026-45995 (2)

https://nvd.nist.gov/vuln/detail/CVE-2026-45995

Same Patch Batch · Linux · 2026-05-27 · 276 CVEs total

CVE-2026-46039	9.8 CRITICAL	rxgk: Fix potential integer overflow in length check
CVE-2026-45898	9.8 CRITICAL	RDMA/iwcm: Fix workqueue list corruption by removing work_list
CVE-2026-45988	9.8 CRITICAL	rxrpc: Fix re-decryption of RESPONSE packets
CVE-2026-45972	9.8 CRITICAL	smb: client: fix potential UAF and double free in smb2_open_file()
CVE-2026-46043	9.1 CRITICAL	RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
CVE-2026-46056	8.8 HIGH	Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
CVE-2026-45945	8.8 HIGH	iommu/vt-d: Fix race condition during PASID entry replacement
CVE-2026-45843	8.2 HIGH	slip: bound decode() reads against the compressed packet length
CVE-2026-46037	8.2 HIGH	ipv4: icmp: validate reply type before using icmp_pointers
CVE-2026-46010	8.1 HIGH	rxrpc: Fix error handling in rxgk_extract_token()
CVE-2026-46099	8.1 HIGH	net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
CVE-2026-46076	7.9 HIGH	KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
CVE-2026-45894	7.8 HIGH	iommu/vt-d: Clear Present bit before tearing down PASID entry
CVE-2026-45959	7.8 HIGH	crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree
CVE-2026-46011	7.8 HIGH	media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
CVE-2026-46015	7.8 HIGH	tcp: call sk_data_ready() after listener migration
CVE-2026-45852	7.8 HIGH	RDMA/rxe: Fix double free in rxe_srq_from_init
CVE-2026-46058	7.8 HIGH	media: amphion: Fix race between m2m job_abort and device_run
CVE-2026-45861	7.8 HIGH	gfs2: Fix slab-use-after-free in qd_put
CVE-2026-46053	7.8 HIGH	net: rds: fix MR cleanup on copy error

Showing top 20 of 276 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux

Same vendor: Linux

V. Comments for CVE-2026-45995

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-45995— io_uring/zcrx: fix user_struct uaf

Possible ATT&CK Techniques 1AI

Affected Version Matrix 6

I. Basic Information for CVE-2026-45995

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-45995

III. Intelligence Information for CVE-2026-45995

Patches & Fixes for CVE-2026-45995 (2)

Same Patch Batch · Linux · 2026-05-27 · 276 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-45995

Leave a comment