io_uring/poll: fix signed comparison in io_poll_get_ownership()_CVE-2026-52933

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

io_uring/poll: fix signed comparison in io_poll_get_ownership()

io_poll_get_ownership() uses a signed comparison to check whether
poll_refs has reached the threshold for the slowpath:

if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))

atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
(BIT(31)) is set in poll_refs, the value becomes negative in
signed arithmetic, so the >= 128 comparison always evaluates to
false and the slowpath is never taken.

Fix this by casting the atomic_read() result to unsigned int
before the comparison, so that the cancel flag is treated as a
large positive value and correctly triggers the slowpath.

Basic Information

ID CVE-2026-52933

Source Linux

Published Jun 24, 2026 at 07:14

Modified Jun 28, 2026 at 06:36

Affected Product

Vendor Linux

Product Linux

Version a26a35e9019fd70bf3cf647dcfdae87abc7bacea

Affected Versions Linux Linux a26a35e9019fd70bf3cf647dcfdae87abc7bacea
Linux Linux a26a35e9019fd70bf3cf647dcfdae87abc7bacea
Linux Linux a26a35e9019fd70bf3cf647dcfdae87abc7bacea
Linux Linux a26a35e9019fd70bf3cf647dcfdae87abc7bacea
Linux Linux a26a35e9019fd70bf3cf647dcfdae87abc7bacea
Linux Linux a26a35e9019fd70bf3cf647dcfdae87abc7bacea
Linux Linux 4b702b7d11ce1b9d26fc6d7c5a7ef4ac1d455048
Linux Linux bc4e6ee16778149811333a969a7a893d4cc110c5
Linux Linux 5.15.82
Linux Linux 6.0.11
Linux Linux 6.1

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/poll: fix signed comparison in io_poll_get_ownership()\n\nio_poll_get_ownership() uses a signed comparison to check whether\npoll_refs has reached the threshold for the slowpath:\n\n    if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))\n\natomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG\n(BIT(31)) is set in poll_refs, the value becomes negative in\nsigned arithmetic, so the >= 128 comparison always evaluates to\nfalse and the slowpath is never taken.\n\nFix this by casting the atomic_read() result to unsigned int\nbefore the comparison, so that the cancel flag is treated as a\nlarge positive value and correctly triggers the slowpath.",
    "published": "2026-06-24T07:14:24.678Z",
    "modified": "2026-06-28T06:36:54.123Z",
    "type": "cve",
    "title": "io_uring/poll: fix signed comparison in io_poll_get_ownership()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/81bf96b0abbfa4cd47ea32e12596aed3855fb2f3\nhttps://git.kernel.org/stable/c/cf522703d4f194991615763697ae25a3f9539763\nhttps://git.kernel.org/stable/c/fc47043f3d9af3efa407665b47f8378ec691ba18\nhttps://git.kernel.org/stable/c/ea0697129807d718037f618221037aa0660ee3c5\nhttps://git.kernel.org/stable/c/c6d191164dc81838d8dbf452a6000f68c558d1ae\nhttps://git.kernel.org/stable/c/326941b22806cbf2df1fbfe902b7908b368cce42",
    "id": "CVE-2026-52933",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux a26a35e9019fd70bf3cf647dcfdae87abc7bacea\nLinux Linux a26a35e9019fd70bf3cf647dcfdae87abc7bacea\nLinux Linux a26a35e9019fd70bf3cf647dcfdae87abc7bacea\nLinux Linux a26a35e9019fd70bf3cf647dcfdae87abc7bacea\nLinux Linux a26a35e9019fd70bf3cf647dcfdae87abc7bacea\nLinux Linux a26a35e9019fd70bf3cf647dcfdae87abc7bacea\nLinux Linux 4b702b7d11ce1b9d26fc6d7c5a7ef4ac1d455048\nLinux Linux bc4e6ee16778149811333a969a7a893d4cc110c5\nLinux Linux 5.15.82\nLinux Linux 6.0.11\nLinux Linux 6.1",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "a26a35e9019fd70bf3cf647dcfdae87abc7bacea",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply