The Ol' Switcheroo: How a Typos in io_uring Nuked Kernel Queues
Jan 15, 2026·5 min read·0 visits
Executive Summary (TL;DR)
In io_uring network commands, a call to skb_queue_splice() had its arguments transposed. This caused the permanent socket error queue to be moved into a temporary on-stack list that gets destroyed when the function returns. The result is data loss, state corruption, and a high probability of a kernel crash (DoS) triggered by a local user.
A classic logic error in the Linux kernel's io_uring subsystem where a developer confused the source and destination arguments in a list-splicing function. Instead of saving temporary data to the socket queue, the kernel accidentally emptied the socket's critical error queue into a temporary variable destined for oblivion.
Official Patches
Fix Analysis (2)
Technical Appendix
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Linux Kernel Linux | >= 6.17, < 6.17.11 | 6.17.11 |
| Attribute | Detail |
|---|---|
| Attack Vector | Local |
| CVSS v3.1 | 6.2 (Medium) |
| Impact | Denial of Service (System Crash) |
| Vulnerability Type | Logic Error (Argument Transposition) |
| Affected Subsystem | io_uring / net |
| EPSS Score | 0.00024 |
MITRE ATT&CK Mapping
The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to incorrect behavior or security vulnerabilities.