CVE-2025-71149 PUBLISHED

io_uring/poll: correctly handle io_poll_add() return value on update

Assigner: Linux
Reserved: 13.01.2026 Published: 23.01.2026 Updated: 23.01.2026

In the Linux kernel, the following vulnerability has been resolved:

io_uring/poll: correctly handle io_poll_add() return value on update

When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted.

Additionally, ensure that if an update does cause an existing POLL_ADD to complete, that the completion value isn't always overwritten with -ECANCELED. For that case, whatever io_poll_add() set the value to should just be retained.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 97b388d70b53fd7d286ac1b81e5a88bd6af98209 to 8b777ab48441b153502772ecfc78c107d4353f29 (excl.)
  • affected from 97b388d70b53fd7d286ac1b81e5a88bd6af98209 to 0126560370ed5217958b85657b590ad25e8b9c00 (excl.)
  • affected from 97b388d70b53fd7d286ac1b81e5a88bd6af98209 to c1669c03bfbc2a9b5ebff4428eecebe734c646fe (excl.)
  • affected from 97b388d70b53fd7d286ac1b81e5a88bd6af98209 to 13a8f7b88c2d40c6b33f6216190478dda95d385f (excl.)
  • affected from 97b388d70b53fd7d286ac1b81e5a88bd6af98209 to 84230ad2d2afbf0c44c32967e525c0ad92e26b4e (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 6.0 is affected
  • unaffected from 0 to 6.0 (excl.)
  • unaffected from 6.1.160 to 6.1.* (incl.)
  • unaffected from 6.6.120 to 6.6.* (incl.)
  • unaffected from 6.12.64 to 6.12.* (incl.)
  • unaffected from 6.18.3 to 6.18.* (incl.)
  • unaffected from 6.19-rc1 to * (incl.)

References