CVE-2024-56709

io_uring: check if iowq is killed before queuing

Description

In the Linux kernel, the following vulnerability has been resolved: io_uring: check if iowq is killed before queuing task work can be executed after the task has gone through io_uring termination, whether it's the final task_work run or the fallback path. In this case, task work will find ->io_wq being already killed and null'ed, which is a problem if it then tries to forward the request to io_queue_iowq(). Make io_queue_iowq() fail requests in this case. Note that it also checks PF_KTHREAD, because the user can first close a DEFER_TASKRUN ring and shortly after kill the task, in which case ->iowq check would race.

N/A
CVSS
Severity:
EPSS 0.04%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/534d59ab38010aada88390db65985e65d0de7d9e
https://git.kernel.org/stable/c/2ca94c8de36091067b9ce7527ae8db3812d38781
https://git.kernel.org/stable/c/4f95a2186b7f2af09331e1e8069bcaf34fe019cf
https://git.kernel.org/stable/c/dbd2ca9367eb19bc5e269b8c58b0b1514ada9156

Frequently Asked Questions

What is the severity of CVE-2024-56709?
CVE-2024-56709 has not yet been assigned a CVSS score.
How to fix CVE-2024-56709?
To fix CVE-2024-56709, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-56709 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-56709 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-56709?
CVE-2024-56709 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.