Listen to this Post
The vulnerability resides in the io_uring zcrx (zero-copy receive) component of the Linux kernel. When initializing a scatter‑gather (sg) list for a zero‑copy operation, memory is allocated to hold the page array. If the sg initialization fails (for example, due to an unsupported configuration or out‑of‑memory condition), the code correctly frees the leaked pages but does not release the page array itself .
The failure occurs because the initial patch (d9f595b9a65e) that fixed the page leakage missed freeing the container structure that points to those pages . As a result, the page array remains pinned in kernel memory even after the operation is abandoned.
A local attacker can repeatedly trigger this error path by crafting I/O requests that cause sg initialization failures. Over time, the unreleased page arrays accumulate, leading to memory exhaustion. Because the leak consumes kernel memory that is not freed until system reboot, it can cause denial‑of‑service conditions on long‑running systems.
The vulnerability affects Linux kernel versions starting from 6.17 (introduced by commit b84621d96ee0) up to but not including 6.18.10 and 6.19. The issue was fixed in mainline by commits 64cf3016234c (6.18.10) and 0ae91d8ab709 (6.19).
dailycve form:
Platform: Linux kernel
Version: 6.17 – 6.18.9
Vulnerability : Memory leak
Severity: High (7.1)
date: 2026‑03‑18
Prediction: 2026‑03‑25
What Undercode Say:
Check kernel version: uname -r Trigger the leak (requires local user): (Simplified example – actual exploit depends on io_uring setup) ./leak_trigger Monitor kernel memory to detect exhaustion: cat /proc/meminfo | grep -E "MemFree|Slab" Verify that the system has the patch: grep -i "64cf3016234c" /proc/version
Exploit:
No public exploit is currently available. However, a local unprivileged attacker can repeatedly send crafted io_uring zcrx requests that fail sg list initialization. Each failure leaks a small page array; repeated operations eventually exhaust kernel memory.
Protection from this CVE:
- Update the kernel to version 6.18.10 or later.
- If an immediate update is not possible, apply the backported patch (commit 64cf3016234c or 0ae91d8ab709).
- Restrict access to /dev/io_uring for untrusted local users where feasible.
Impact:
- Denial of service due to kernel memory exhaustion.
- Information disclosure – leaked page arrays may retain previous process data.
- Low attack complexity – requires only local unprivileged access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

