{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nio-wq: check that the predecessor is hashed in io_wq_remove_pending()\\n\\nio_wq_remove_pending() needs to fix up wq-\\u003ehash_tail[] if the cancelled\\nwork was the tail of its hash bucket. When doing this, it checks whether\\nthe preceding entry in acct-\\u003ework_list has the same hash value, but\\nnever checks that the predecessor is hashed at all. io_get_work_hash()\\nis simply atomic_read(\\u0026work-\\u003eflags) \\u003e\\u003e IO_WQ_HASH_SHIFT, and the hash\\nbits are never set for non-hashed work, so it returns 0. Thus, when a\\nhashed bucket-0 work is cancelled while a non-hashed work is its list\\npredecessor, the check spuriously passes and a pointer to the non-hashed\\nio_kiocb is stored in wq-\\u003ehash_tail[0].\\n\\nBecause non-hashed work is dequeued via the fast path in\\nio_get_next_work(), which never touches hash_tail[], the stale pointer\\nis never cleared. Therefore, after the non-hashed io_kiocb completes and\\nis freed back to req_cachep, wq-\\u003ehash_tail[0] is a dangling pointer. The\\nio_wq is per-task (tctx-\\u003eio_wq) and survives ring open\/close, so the\\ndangling pointer persists for the lifetime of the task; the next hashed\\nbucket-0 enqueue dereferences it in io_wq_insert_work() and\\nwq_list_add_after() writes through freed memory.\\n\\nAdd the missing io_wq_is_hashed() check so a non-hashed predecessor\\nnever inherits a hash_tail[] slot.”,”published”:”2026-06-08T14:30:53.323Z”,”modified”:”2026-06-14T04:29:55.098Z”,”type”:”cve”,”title”:”io-wq: check that the predecessor is hashed in io_wq_remove_pending()”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/d6bda9df0c0a3080804181464d5c0f4d78a4e769\\nhttps:\/\/git.kernel.org\/stable\/c\/5a20ebf0c81b61f5ea3b1b529c100cad69b9f603\\nhttps:\/\/git.kernel.org\/stable\/c\/252c5051dba9c709b6a72f2866f93e5e618b3f06\\nhttps:\/\/git.kernel.org\/stable\/c\/d376c131af7c7739a87ff037ed2fdb67c2542c8a\\nhttps:\/\/git.kernel.org\/stable\/c\/d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc”,”id”:”CVE-2026-46274″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux 204361a77f4018627addd4a06877448f088ddfc0\\nLinux Linux 204361a77f4018627addd4a06877448f088ddfc0\\nLinux Linux 204361a77f4018627addd4a06877448f088ddfc0\\nLinux Linux 204361a77f4018627addd4a06877448f088ddfc0\\nLinux Linux 204361a77f4018627addd4a06877448f088ddfc0\\nLinux Linux 13f35a2c0fd5c6a4fcd8903542b053bcc914fcf5\\nLinux Linux 5.8.6\\nLinux Linux 5.9″,”sourceHref”:””,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”204361a77f4018627addd4a06877448f088ddfc0″,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nio-wq: check that the predecessor is hashed in io_wq_remove_pending()\\n\\nio_wq_remove_pending() needs to fix up wq-\\u003ehash_tail[] if the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,28,12,15,13,7,11,5],"class_list":["post-62566","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n