CVE-2025-37804 in Linux
Summary
by MITRE • 05/08/2025
In the Linux kernel, the following vulnerability has been resolved:
io_uring: always do atomic put from iowq
io_uring always switches requests to atomic refcounting for iowq execution before there is any parallilism by setting REQ_F_REFCOUNT, and the flag is not cleared until the request completes. That should be fine as long as the compiler doesn't make up a non existing value for the flags, however KCSAN still complains when the request owner changes oter flag bits:
BUG: KCSAN: data-race in io_req_task_cancel / io_wq_free_work ... read to 0xffff888117207448 of 8 bytes by task 3871 on cpu 0: req_ref_put_and_test io_uring/refs.h:22 [inline]
Skip REQ_F_REFCOUNT checks for iowq, we know it's set.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability CVE-2025-37804 affects the Linux kernel's io_uring subsystem, specifically addressing a concurrency issue in the io_wq (io workqueue) execution path. This flaw manifests as a data race detected by the Kernel Concurrency Sanitizer (KCSAN) during request processing. The core issue stems from the io_uring implementation's approach to reference counting for workqueue operations, where the subsystem consistently enables atomic reference counting through the REQ_F_REFCOUNT flag for all io_wq execution paths regardless of actual parallelism conditions.
The technical flaw occurs when the io_uring subsystem transitions requests to atomic refcounting for io_wq execution, setting the REQ_F_REFCOUNT flag and maintaining it until request completion. While this approach appears logically sound for ensuring thread safety, the kernel's compiler optimizations can create scenarios where the compiler generates incorrect assumptions about flag values, leading to false positive data race detections. The KCSAN reports a specific data race involving the io_req_task_cancel and io_wq_free_work functions where a read operation occurs on a memory address containing 8 bytes of data, triggering the sanitizer's detection mechanism.
This vulnerability operates at the kernel level within the io_uring subsystem, which is designed to provide high-performance asynchronous I/O operations for Linux applications. The flaw specifically impacts how the kernel handles reference counting during concurrent execution of io_uring requests, potentially leading to inconsistent state management and race conditions that could affect system stability. The issue is classified under CWE-362, which represents a Race Condition, and aligns with ATT&CK technique T1059.003 for kernel-level code execution and system manipulation.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially compromising system integrity through race condition exploitation. When KCSAN detects data races, it indicates that concurrent access patterns within the kernel may lead to unpredictable behavior, memory corruption, or security vulnerabilities. The fix implemented addresses the specific scenario where REQ_F_REFCOUNT checks are unnecessarily performed for iowq operations, since the system already knows these flags are set, thereby eliminating the false positive data race reports while maintaining the necessary atomicity guarantees.
Mitigation strategies for this vulnerability involve updating to the patched kernel version that implements the fix, which removes the redundant REQ_F_REFCOUNT checks for iowq operations while preserving the atomic reference counting mechanisms. System administrators should prioritize kernel updates, particularly in production environments where io_uring is actively utilized for high-performance I/O operations. The fix also aligns with broader kernel security practices by reducing false positives that could mask actual race conditions, improving overall kernel reliability and security posture. Organizations using io_uring for critical applications should monitor their kernel versions and apply patches promptly to avoid potential exploitation of this concurrency issue that could affect system stability and data integrity.