CVE-2026-23473Time-of-check Time-of-use (TOCTOU) Race Condition in Linux

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition7 documents7 sources
Severity
4.7MEDIUM
No vector
EPSS
0.0%
top 94.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
LinuxLinux KernelDebian Linux+1 more
Timeline
PublishedApr 3

Description

In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: fix multishot recv missing EOF on wakeup race When a socket send and shutdown() happen back-to-back, both fire wake-ups before the receiver's task_work has a chance to run. The first wake gets poll ownership (poll_refs=1), and the second bumps it to 2. When io_poll_check_events() runs, it calls io_poll_issue() which does a recv that reads the data and returns IOU_RETRY. The loop then drains all accumulated refs

Affected Packages4 packages

Debianlinux/linux_kernel< 6.19.10-1
CVEListV5linux/linuxdbc2564cfe0faff439dc46adb8c009589054ea460f4ce79b8db7b040373fc664c8bc6c5fd74bd196+3
debiandebian/linux< linux 6.19.10-1 (forky)

🔴Vulnerability Details

2
GHSA
GHSA-c5mp-x9x5-3g5v: In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: fix multishot recv missing EOF on wakeup race When a socket send2026-04-03
OSV
CVE-2026-23473: In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: fix multishot recv missing EOF on wakeup race When a socket send an2026-04-03

📋Vendor Advisories

3
Red Hat
kernel: io_uring/poll: fix multishot recv missing EOF on wakeup race2026-04-03
Microsoft
io_uring/poll: fix multishot recv missing EOF on wakeup race2026-04-02
Debian
CVE-2026-23473: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring/po...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-23473 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-23473 — Linux vulnerability | cvebase