CVE-2026-53191 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries
When a bundle recv retries inside io_recv_finish(), the merge logic OR the saved cflags from the previous iteration with the cflags returned by the new iteration: cflags = req->cqe.flags | (cflags & CQE_F_MASK);
Bits listed in CQE_F_MASK are inherited from the new iteration, and all other bits (notably IORING_CQE_F_BUFFER and the buffer ID) come from the saved cflags. Before this change CQE_F_MASK covered only IORING_CQE_F_SOCK_NONEMPTY and IORING_CQE_F_MORE.
When using provided buffer rings (IOU_PBUF_RING_INC) with incremental mode, and bundle recv, io_kbuf_inc_commit() can leave the head ring entry partially consumed, __io_put_kbufs() then sets IORING_CQE_F_BUF_MORE on the returned cflags so userspace knows the buffer ID will be reused for subsequent completions.
Because IORING_CQE_F_BUF_MORE was not in CQE_F_MASK, the merge above silently dropped it whenever the final retry iteration partially consumed the buffer, and the subsequent req->cqe.flags = cflags & ~CQE_F_MASK save would have left a stale IORING_CQE_F_BUF_MORE in the carried-over cflags had one been present. Userspace would then wrongfully advance it ring head past an entry the kernel still uses.
Add IORING_CQE_F_BUF_MORE to CQE_F_MASK so it is both inherited from the new iteration into the user-visible CQE and stripped from the saved cflags between iterations.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability in question affects the Linux kernel's io_uring networking implementation, specifically within the io_recv_finish() function that handles bundle receive operations. This issue represents a critical flaw in the cqe flag inheritance mechanism that governs how completion flags are managed across multiple iterations of a single receive operation. The problem manifests when io_uring employs provided buffer rings with incremental mode and bundle receive functionality, creating a complex interaction between kernel-level buffer management and userspace buffer consumption tracking.
The technical root cause lies in the merge logic that combines cqe flags from successive iterations of a bundle receive operation. Previously, the CQE_F_MASK constant only included IORING_CQE_F_SOCK_NONEMPTY and IORING_CQE_F_MORE bits, excluding IORING_CQE_F_BUF_MORE which is crucial for buffer ring management. When io_kbuf_inc_commit() leaves a partial buffer consumption in the head ring entry, __io_put_kbufs() correctly sets IORING_CQE_F_BUF_MORE on returned cflags to signal userspace that the buffer ID will be reused for subsequent completions. However, due to the missing flag in CQE_F_MASK, this important indicator gets silently discarded during the flag merging process, creating a state inconsistency between kernel and userspace buffer tracking mechanisms.
This vulnerability directly impacts the integrity of io_uring's buffer ring management system and can lead to serious operational consequences including buffer overconsumption and potential data corruption. The flaw falls under CWE-129, Input Validation, and more specifically relates to improper handling of buffer management states in kernel networking subsystems. From an ATT&CK perspective, this represents a privilege escalation vector through kernel memory corruption, potentially enabling attackers to manipulate buffer consumption patterns and compromise system stability.
The operational impact extends beyond simple data corruption to affect the reliability of high-performance network applications that depend on io_uring's incremental buffer mode for efficient data processing. Applications using bundle receive operations with provided buffer rings may experience incorrect buffer advancement, leading to memory access violations or data loss scenarios. The vulnerability particularly affects systems running kernel versions where io_uring is actively used for high-throughput networking operations such as web servers, database systems, and network monitoring tools that leverage the advanced buffer management features of io_uring.
Mitigation strategies should focus on applying the kernel patch that adds IORING_CQE_F_BUF_MORE to CQE_F_MASK, ensuring proper flag inheritance across bundle receive retries. System administrators should prioritize updating to affected kernel versions that include this fix, particularly in production environments where io_uring networking is actively utilized. Additionally, monitoring for buffer-related errors and implementing robust error handling in applications using io_uring can help detect and recover from potential buffer consumption state inconsistencies. The fix addresses the core issue by ensuring that IORING_CQE_F_BUF_MORE flag is properly inherited from new iterations while simultaneously clearing it from saved flags between iterations, maintaining synchronization between kernel and userspace buffer ring states.