SB2026032090 - Missing release of memory after effective lifetime in Linux kernel io_uring
Published: March 20, 2026
Security Bulletin ID
SB2026032090
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23263)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper memory management in the io_uring/zcrx component when handling page arrays during sg initialization failure. A local user can trigger a page array leak to disclose sensitive information.
The vulnerability specifically involves failure to release the page array after a previous fix addressed page leaks but left the array un-freed.
Remediation
Install update from vendor's website.