{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-46274: io-wq: check that the predecessor is hashed in io_wq_remove_pending()","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-46274","status":"final","version":"1","initial_release_date":"2026-06-08T14:30:53.323Z","current_release_date":"2026-06-14T04:29:55.098Z","revision_history":[{"date":"2026-06-08T14:30:53.323Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nio-wq: check that the predecessor is hashed in io_wq_remove_pending()\n\nio_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled\nwork was the tail of its hash bucket. When doing this, it checks whether\nthe preceding entry in acct->work_list has the same hash value, but\nnever checks that the predecessor is hashed at all. io_get_work_hash()\nis simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash\nbits are never set for non-hashed work, so it returns 0. Thus, when a\nhashed bucket-0 work is cancelled while a non-hashed work is its list\npredecessor, the check spuriously passes and a pointer to the non-hashed\nio_kiocb is stored in wq->hash_tail[0].\n\nBecause non-hashed work is dequeued via the fast path in\nio_get_next_work(), which never touches hash_tail[], the stale pointer\nis never cleared. Therefore, after the non-hashed io_kiocb completes and\nis freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The\nio_wq is per-task (tctx->io_wq) and survives ring open/close, so the\ndangling pointer persists for the lifetime of the task; the next hashed\nbucket-0 enqueue dereferences it in io_wq_insert_work() and\nwq_list_add_after() writes through freed memory.\n\nAdd the missing io_wq_is_hashed() check so a non-hashed predecessor\nnever inherits a hash_tail[] slot.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-46274 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-46274"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-46274"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/d6bda9df0c0a3080804181464d5c0f4d78a4e769"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/5a20ebf0c81b61f5ea3b1b529c100cad69b9f603"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/252c5051dba9c709b6a72f2866f93e5e618b3f06"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/d376c131af7c7739a87ff037ed2fdb67c2542c8a"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc"}]},"product_tree":{"branches":[{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version_range","name":">=204361a77f4018627addd4a06877448f088ddfc0 <d6bda9df0c0a3080804181464d5c0f4d78a4e769","product":{"name":"Linux Linux >=204361a77f4018627addd4a06877448f088ddfc0 <d6bda9df0c0a3080804181464d5c0f4d78a4e769","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=204361a77f4018627addd4a06877448f088ddfc0 <5a20ebf0c81b61f5ea3b1b529c100cad69b9f603","product":{"name":"Linux Linux >=204361a77f4018627addd4a06877448f088ddfc0 <5a20ebf0c81b61f5ea3b1b529c100cad69b9f603","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=204361a77f4018627addd4a06877448f088ddfc0 <252c5051dba9c709b6a72f2866f93e5e618b3f06","product":{"name":"Linux Linux >=204361a77f4018627addd4a06877448f088ddfc0 <252c5051dba9c709b6a72f2866f93e5e618b3f06","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=204361a77f4018627addd4a06877448f088ddfc0 <d376c131af7c7739a87ff037ed2fdb67c2542c8a","product":{"name":"Linux Linux >=204361a77f4018627addd4a06877448f088ddfc0 <d376c131af7c7739a87ff037ed2fdb67c2542c8a","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=204361a77f4018627addd4a06877448f088ddfc0 <d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc","product":{"name":"Linux Linux >=204361a77f4018627addd4a06877448f088ddfc0 <d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc","product_id":"CSAFPID-5","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"13f35a2c0fd5c6a4fcd8903542b053bcc914fcf5","product":{"name":"Linux Linux 13f35a2c0fd5c6a4fcd8903542b053bcc914fcf5","product_id":"CSAFPID-6","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=5.8.6 <5.9","product":{"name":"Linux Linux >=5.8.6 <5.9","product_id":"CSAFPID-7","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version","name":"5.9","product":{"name":"Linux Linux 5.9","product_id":"CSAFPID-8","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"0","product":{"name":"Linux Linux 0","product_id":"CSAFPID-9","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.6.141","product":{"name":"Linux Linux 6.6.141","product_id":"CSAFPID-10","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.12.91","product":{"name":"Linux Linux 6.12.91","product_id":"CSAFPID-11","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.18.33","product":{"name":"Linux Linux 6.18.33","product_id":"CSAFPID-12","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.0.10","product":{"name":"Linux Linux 7.0.10","product_id":"CSAFPID-13","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.1-rc4","product":{"name":"Linux Linux 7.1-rc4","product_id":"CSAFPID-14","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-46274","title":"io-wq: check that the predecessor is hashed in io_wq_remove_pending()","notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nio-wq: check that the predecessor is hashed in io_wq_remove_pending()\n\nio_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled\nwork was the tail of its hash bucket. When doing this, it checks whether\nthe preceding entry in acct->work_list has the same hash value, but\nnever checks that the predecessor is hashed at all. io_get_work_hash()\nis simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash\nbits are never set for non-hashed work, so it returns 0. Thus, when a\nhashed bucket-0 work is cancelled while a non-hashed work is its list\npredecessor, the check spuriously passes and a pointer to the non-hashed\nio_kiocb is stored in wq->hash_tail[0].\n\nBecause non-hashed work is dequeued via the fast path in\nio_get_next_work(), which never touches hash_tail[], the stale pointer\nis never cleared. Therefore, after the non-hashed io_kiocb completes and\nis freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The\nio_wq is per-task (tctx->io_wq) and survives ring open/close, so the\ndangling pointer persists for the lifetime of the task; the next hashed\nbucket-0 enqueue dereferences it in io_wq_insert_work() and\nwq_list_add_after() writes through freed memory.\n\nAdd the missing io_wq_is_hashed() check so a non-hashed predecessor\nnever inherits a hash_tail[] slot.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8"],"fixed":["CSAFPID-9","CSAFPID-10","CSAFPID-11","CSAFPID-12","CSAFPID-13","CSAFPID-14"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 0, 252c5051dba9c709b6a72f2866f93e5e618b3f06, 5.9, 5a20ebf0c81b61f5ea3b1b529c100cad69b9f603, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1-rc4, d376c131af7c7739a87ff037ed2fdb67c2542c8a, d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc, d6bda9df0c0a3080804181464d5c0f4d78a4e769.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8"]}]}]}