Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring/waitid: clear waitid info before copying it to userspace

IORING_OP_WAITID stores its result fields in struct io_waitid::info and
later copies them to userspace siginfo. The prep path initializes the
request arguments, but it does not initialize info itself.

If the wait operation completes without reporting a child event, the common
wait code can return without writing wo_info. In that case io_waitid_finish()
still copies iw->info to userspace, exposing stale bytes from the reused
io_kiocb command storage.

Clear the result storage during prep so the io_uring path matches the
regular waitid syscall, which uses a zero-initialized struct waitid_info.
Published: 2026-06-09
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6355-1 linux security update
History

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Tue, 09 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-758

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: clear waitid info before copying it to userspace IORING_OP_WAITID stores its result fields in struct io_waitid::info and later copies them to userspace siginfo. The prep path initializes the request arguments, but it does not initialize info itself. If the wait operation completes without reporting a child event, the common wait code can return without writing wo_info. In that case io_waitid_finish() still copies iw->info to userspace, exposing stale bytes from the reused io_kiocb command storage. Clear the result storage during prep so the io_uring path matches the regular waitid syscall, which uses a zero-initialized struct waitid_info.
Title io_uring/waitid: clear waitid info before copying it to userspace
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:08:38.384Z

Reserved: 2026-05-13T15:03:33.111Z

Link: CVE-2026-46315

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T09:16:30.330

Modified: 2026-06-09T09:16:30.330

Link: CVE-2026-46315

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-46315 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:00:13Z

Weaknesses