{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "204361a77f4018627addd4a06877448f088ddfc0"
            },
            {
              "fixed": "d6bda9df0c0a3080804181464d5c0f4d78a4e769"
            },
            {
              "fixed": "5a20ebf0c81b61f5ea3b1b529c100cad69b9f603"
            },
            {
              "fixed": "252c5051dba9c709b6a72f2866f93e5e618b3f06"
            },
            {
              "fixed": "d376c131af7c7739a87ff037ed2fdb67c2542c8a"
            },
            {
              "fixed": "d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "13f35a2c0fd5c6a4fcd8903542b053bcc914fcf5"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "5.8.6"
            },
            {
              "fixed": "5.9"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.9.0"
            },
            {
              "fixed": "6.6.141"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.91"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.33"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46274.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio-wq: check that the predecessor is hashed in io_wq_remove_pending()\n\nio_wq_remove_pending() needs to fix up wq-\u003ehash_tail[] if the cancelled\nwork was the tail of its hash bucket. When doing this, it checks whether\nthe preceding entry in acct-\u003ework_list has the same hash value, but\nnever checks that the predecessor is hashed at all. io_get_work_hash()\nis simply atomic_read(\u0026work-\u003eflags) \u003e\u003e IO_WQ_HASH_SHIFT, and the hash\nbits are never set for non-hashed work, so it returns 0. Thus, when a\nhashed bucket-0 work is cancelled while a non-hashed work is its list\npredecessor, the check spuriously passes and a pointer to the non-hashed\nio_kiocb is stored in wq-\u003ehash_tail[0].\n\nBecause non-hashed work is dequeued via the fast path in\nio_get_next_work(), which never touches hash_tail[], the stale pointer\nis never cleared. Therefore, after the non-hashed io_kiocb completes and\nis freed back to req_cachep, wq-\u003ehash_tail[0] is a dangling pointer. The\nio_wq is per-task (tctx-\u003eio_wq) and survives ring open/close, so the\ndangling pointer persists for the lifetime of the task; the next hashed\nbucket-0 enqueue dereferences it in io_wq_insert_work() and\nwq_list_add_after() writes through freed memory.\n\nAdd the missing io_wq_is_hashed() check so a non-hashed predecessor\nnever inherits a hash_tail[] slot.",
  "id": "CVE-2026-46274",
  "modified": "2026-07-09T03:51:41.600590587Z",
  "published": "2026-06-08T14:30:53.323Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/252c5051dba9c709b6a72f2866f93e5e618b3f06"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5a20ebf0c81b61f5ea3b1b529c100cad69b9f603"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d376c131af7c7739a87ff037ed2fdb67c2542c8a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d6bda9df0c0a3080804181464d5c0f4d78a4e769"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46274.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46274"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "io-wq: check that the predecessor is hashed in io_wq_remove_pending()"
}