CVE-2025-40047 io_uring/waitid: always prune wait queue entry in io_waitid_wait()

🗓️ 28 Oct 2025 11:48:24Reported by LinuxType

Linux fix for io_uring waitid: prune wait queue entry on success to avoid race with cancellation.

Reporter	Title	Published	Views	Family All 241
Tenable Nessus	Amazon Linux 2023 : bpftool6.12, kernel6.12, kernel6.12-devel (ALAS2023-2025-1254)	28 Oct 202500:00	–	nessus
Tenable Nessus	AlmaLinux 10 : kernel (ALSA-2025:22854)	10 Dec 202500:00	–	nessus
Tenable Nessus	MiracleLinux 9 : kernel-5.14.0-611.9.1.el9_7 (AXSA:2025-11506:95)	13 Jan 202600:00	–	nessus
Tenable Nessus	openSUSE 16 Security Update : kernel (openSUSE-SU-2025:20172-1)	24 Dec 202500:00	–	nessus
Tenable Nessus	Oracle Linux 9 : kernel (ELSA-2025-21469)	3 Dec 202500:00	–	nessus
Tenable Nessus	Oracle Linux 9 : kernel (ELSA-2025-21926)	3 Dec 202500:00	–	nessus
Tenable Nessus	Oracle Linux 10 : kernel (ELSA-2025-22854)	9 Dec 202500:00	–	nessus
Tenable Nessus	Oracle Linux 10 / 9 : Unbreakable Enterprise kernel (ELSA-2025-28040)	10 Dec 202500:00	–	nessus
Tenable Nessus	RHEL 9 : kernel (RHSA-2025:21469)	17 Nov 202500:00	–	nessus
Tenable Nessus	RHEL 9 : kernel (RHSA-2025:21933)	24 Nov 202500:00	–	nessus

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "io_uring/waitid.c"
    ],
    "versions": [
      {
        "version": "f31ecf671ddc498f20219453395794ff2383e06b",
        "lessThan": "696ba6032081e617564a8113a001b8d7943cb928",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "f31ecf671ddc498f20219453395794ff2383e06b",
        "lessThan": "3e2205db2f0608898d535da1964e1b376aacfdaa",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "f31ecf671ddc498f20219453395794ff2383e06b",
        "lessThan": "2f8229d53d984c6a05b71ac9e9583d4354e3b91f",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "io_uring/waitid.c"
    ],
    "versions": [
      {
        "version": "6.7",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "6.7",
        "status": "unaffected",
        "versionType": "semver"
      },
      {
        "version": "6.12.53",
        "lessThanOrEqual": "6.12.*",
        "status": "unaffected",
        "versionType": "semver"
      },
      {
        "version": "6.17.3",
        "lessThanOrEqual": "6.17.*",
        "status": "unaffected",
        "versionType": "semver"
      },
      {
        "version": "6.18",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

Source	Link
git	www.git.kernel.org/stable/c/3e2205db2f0608898d535da1964e1b376aacfdaa
git	www.git.kernel.org/stable/c/2f8229d53d984c6a05b71ac9e9583d4354e3b91f
git	www.git.kernel.org/stable/c/696ba6032081e617564a8113a001b8d7943cb928

11 May 2026 21:41Current

EPSS0.00024