CVE-2026-23473: io_uring Multishot Recv Can Hang by Missing EOF/HUP

  • Thread Author
The emergence of CVE-2026-23473 highlights a subtle but important reliability flaw in Linux’s io_uring networking path, where a wakeup race can cause a multishot receive operation to miss a terminal EOF/HUP condition and wait forever. According to the published kernel description, the bug appears when a send and a shutdown land back-to-back, creating multiple wakeups before the receiver’s task work runs, and the poll loop incorrectly drains all references without re-checking for the persistent shutdown state. The result is not a flashy crash but a far more frustrating failure mode: a socket operation that can hang indefinitely.

Overview​

The Linux kernel’s io_uring subsystem has become one of the most ambitious pieces of modern kernel I/O infrastructure. It was designed to reduce syscall overhead, improve throughput, and let high-performance applications build efficient async I/O pipelines with less context switching. That performance focus, however, also means the code has to juggle very fine-grained state transitions, wakeup ordering, and reference accounting across multiple execution paths.
Networking is where these edge cases become especially hard to reason about. A socket can be readable, shut down, closed, or otherwise transitioned into a terminal state while userspace still expects the completion machinery to keep making progress. When a design depends on careful wakeup sequencing, even a small mismatch between “event observed” and “state still pending” can produce stalls that are difficult to reproduce in the lab and even harder to diagnose in production.
This CVE is a classic example of that category. The issue is not that the kernel forgets to wake up entirely; rather, it wakes up in a way that appears sufficient, consumes data, and then incorrectly concludes there is nothing more to do. That distinction matters because shutdown() is not a transient condition. Once it happens, the system must continue to recognize the terminal state until userspace learns about it.
The record published by kernel.org and mirrored in Microsoft’s vulnerability catalog points to a fix that explicitly checks for HUP in the poll loop and re-runs the loop when more than one poll activation is pending. That logic is aimed at preserving shutdown visibility even when several wakeups are coalesced before task work runs. In practice, it is an acknowledgement that the kernel must treat some state changes as persistent facts, not merely as events that can be consumed once and discarded.

What the bug actually does​

At the heart of CVE-2026-23473 is a race between socket activity and the io_uring poll path. The published description says that when a sender transmits data and then immediately calls shutdown(), both actions can trigger wakeups before the receiving task has a chance to run its deferred work. That means the poll accounting can accumulate more than one activation before the first receive attempt even happens.
The first wakeup gets poll ownership, and a second wakeup increments the reference counter again. When the poll-check path finally executes, it performs a receive, consumes the available data, and returns IOU_RETRY. At that point the loop drains all accumulated references and exits, even though only part of the underlying state transition has been observed.

Why that matters​

The dangerous part is that the shutdown state does not behave like ordinary data readiness. Data can be retried because more bytes may arrive later. Shutdown is different: it is an enduring terminal condition, so if the kernel fails to surface it the first time, there may not be another chance. That is why the bug can devolve into a hang rather than a simple missed notification.
The description is also telling because it shows the problem is not in raw socket semantics alone. Instead, it emerges from the interaction between reference draining, wakeup coalescing, and the multishot receive state machine. These are the kinds of bugs that tend to survive ordinary testing because they depend on unusually tight timing.
Key observations:
  • The race requires back-to-back send and shutdown behavior.
  • Multiple wakeups can be queued before task work runs.
  • The loop can consume buffered data and exit too early.
  • The missing shutdown indication can leave a multishot recv stuck indefinitely.
  • The fix focuses on preserving HUP visibility across loop iterations.

Why io_uring makes this tricky​

io_uring was built for performance, and performance-oriented code often replaces simple linear logic with carefully optimized event handling. That creates a powerful system, but it also means the implementation has to manage corner cases where readiness changes, reference counts, and retry paths all intersect. In networking, those intersections can get especially messy because sockets have both level-triggered and stateful behaviors.
The Linux kernel community has long treated many bug fixes as potential CVEs because almost any kernel flaw may matter depending on deployment context. The kernel documentation notes that CVEs are commonly assigned to fixes in released trees and that applicability depends on how a system uses the affected code. That is a reminder that the real-world impact of this issue will vary by workload, but the underlying correctness problem is still significant.

The role of multishot receive​

Multishot receive is attractive because it reduces overhead by allowing repeated completions from one setup. But that same mechanism also means the kernel must keep careful track of when to continue and when to stop. If the state machine loses sight of a shutdown transition, the application can keep waiting for a completion that will never come.
This is a subtle class of failure because the API can appear healthy for a while. The application may receive some data, see activity, and then simply stall. From the operator’s perspective, that can look like a network issue, a user-space deadlock, or a sporadic application bug when the actual fault is in the kernel’s event bookkeeping.
  • Performance optimizations increase the complexity of state handling.
  • Reference counters can hide ordering mistakes until unusual timing occurs.
  • Multishot APIs amplify correctness requirements because a single missed event can strand the stream.
  • Terminal conditions must be treated differently from transient readiness.

The wakeup race in plain English​

The published CVE narrative is unusually clear: one wakeup corresponds to the data send, and the second corresponds to the shutdown. If both arrive before the poll machinery runs, the kernel can collapse them into a single pass that clears its bookkeeping too aggressively. Once that happens, the shutdown event is effectively lost.
The crucial detail is that the loop only performs the receive and then drains the poll references as if the pending activations had been fully represented by the work already done. But the first receive only proves that data was present. It does not prove that the persistent shutdown state has been processed.

Why persistent state changes are different​

A terminal socket condition is not just another event on a queue. It changes the meaning of the connection itself. If the kernel misses that state change once, waiting for a new wakeup is not a valid recovery strategy because the condition has already occurred and may never generate another notification.
That is why the fix specifically calls out HUP handling in the poll loop. HUP is the kernel’s way of telling the consumer that the stream has reached a state that cannot be resolved by simply waiting longer. Losing that signal is what turns an edge-case race into a permanent stall.
In practical terms, the bug teaches a familiar lesson in systems programming: consuming work and consuming state are not the same thing. A code path can correctly read the pending bytes and still fail to advance the higher-level connection state machine. In a design as layered as io_uring, that distinction matters a great deal.
  • Data consumption is not the same as state consumption.
  • Persistent socket states require explicit handling.
  • A retry loop must not assume that one successful pass has cleared all relevant conditions.
  • Coalesced wakeups can hide missing checks unless the loop revisits status before exiting.

The fix and why it is effective​

The correction described in the CVE entry is straightforward in concept but important in effect: check for HUP inside the poll loop and ensure that an additional loop runs when more than one poll activation is pending. That makes the code revisit status before it concludes the operation, which is exactly what is needed when multiple wakeups arrived before the receiver got CPU time.
This is a good example of a kernel fix that is small in code terms but large in behavioral impact. The difference between “drain all refs and exit” and “re-check status if multiple activations exist” is the difference between a one-shot data read and a proper state-machine transition. In a networking stack, that can decide whether a socket properly reports shutdown or silently wedges.

What the loop change buys you​

The fix ensures the shutdown event is not swallowed by the first readable payload. That matters because the receive side may see data before it sees EOF, and in a race the order of wakeup processing is not guaranteed to line up with the logical order of socket state transitions.
It also reduces the chance that the kernel will make an overly optimistic assumption about completion. If the poll path sees that there are still pending activations, it has a reason to keep checking. That is a conservative and correct approach when dealing with terminal conditions.
The kernel’s own CVE documentation explains that many fixes are backported through stable trees and that CVEs often track the original stable-eligible commit rather than a standalone exploit story. That is consistent with how this bug is being handled: as a correctness issue in a released kernel path that warranted formal tracking.
  • HUP is checked explicitly in the poll loop.
  • A second pass is triggered when more than one activation is pending.
  • The fix preserves visibility of the shutdown transition.
  • The logic is defensive against wakeup coalescing.

Impact on users and workloads​

For consumers of Linux-based systems, the most immediate effect of this bug is not a crash but a hang. That can be more dangerous operationally because stalls are easy to misattribute and hard to detect early. In application servers, storage pipelines, or network daemons, a single stuck receive path can accumulate into a broader service degradation.
For enterprise workloads, the biggest concern is latency and reliability. A multishot receive that never observes EOF can hold resources open, delay cleanup, and keep worker threads or coroutines waiting for a completion that will never happen. In tightly managed environments, this can translate into request backlogs, leaked sessions, or orchestration confusion.

Consumer versus enterprise exposure​

On the consumer side, the effect may be narrower but still visible in applications that rely on modern async networking libraries built atop io_uring. Most users will not know the subsystem name, but they may notice an app that freezes during socket teardown or fails to complete a connection lifecycle cleanly.
Enterprise operators, by contrast, may care less about the exact syscall path and more about the consequence: a quiet hang in a critical process. That is especially relevant for services that use high-throughput network processing, proxying, or custom async frameworks. In those environments, a rare race can become a materially important reliability bug.
Potential symptoms include:
  • Intermittent socket teardown hangs.
  • Application workers blocked on receive completion.
  • Cleanup paths that never observe EOF.
  • Hard-to-reproduce service stalls under load.
  • Secondary timeouts that obscure the original kernel issue.

Why this resembles a correctness bug, not just a security bug​

The CVE identifier naturally frames the issue as a security-relevant defect, but the mechanics described by the kernel suggest a broader class of flaw: a missed state transition in a concurrency-heavy path. The kernel project explicitly notes that many CVEs are assigned conservatively to bug fixes, because almost any kernel bug can become security-relevant depending on context.
That is a healthy way to think about kernel risk. A bug that causes a hang may not be a direct privilege escalation, yet in the kernel it can still matter because availability is part of security. If a remote peer or local workload can provoke a permanent stall in a critical daemon, the impact can be substantial even without memory corruption.

Availability is security​

This is where the headline matters for defenders. A bug that stops a receive path from noticing EOF can be a denial-of-service vector in the broad sense, because it can keep workloads from completing cleanly. The exact exploitability will depend on the deployment and whether an attacker can reliably control the timing and socket sequence.
It is also a reminder that kernel security reporting is often about more than classic exploit primitives. Race conditions, missed wakeups, and broken edge transitions can have real operational consequences even when no obvious code execution vector exists. In modern distributed systems, reliability failures can be every bit as damaging as more traditional vulnerabilities.
  • A hang can be a security issue when it affects service availability.
  • Kernel CVEs often cover bug fixes with uncertain exploitability.
  • Concurrency flaws can be operationally severe without being memory-safety bugs.
  • Remote timing control may matter even if the issue is “just” a missed EOF.

How the Linux stable process fits in​

The kernel.org documentation makes clear that CVEs are tied closely to the stable release process, and that fixes are tracked through the commit that resolved the problem in a maintained tree. That approach is consistent with this record, which links the issue to stable commits rather than framing it as an abstract advisory.
This matters because Linux distributions and vendors often consume stable backports rather than mainline fixes directly. If the affected code is present in a given vendor kernel, the practical question is not whether the upstream patch exists, but whether the vendor has incorporated it into the build you run. In other words, the CVE is the label; the patch status is what really matters.

What administrators should do​

The first step is to determine whether a system uses io_uring in the affected networking pattern. The second is to check whether the kernel build includes the fix or an equivalent backport. The third is to validate whether the application in question depends on multishot receive behavior in a way that could expose the race.
A simple response framework looks like this:
  • Identify deployed kernel versions and vendor backports.
  • Determine whether applications use io_uring multishot receive.
  • Check whether socket shutdown paths are common in the workload.
  • Apply the vendor patch or kernel update if the affected path is present.
  • Re-test teardown and timeout behavior under load.
This is the kind of issue where conservative patching is usually the best policy. Because the failure mode is a hang, it can be difficult to tell whether a system is merely slow or actually in the broken path. Updating the kernel eliminates a whole class of uncertainty.
  • Confirm whether the kernel branch is maintained.
  • Check the vendor’s backport status, not just mainline history.
  • Test async networking applications after patching.
  • Treat unexplained receive stalls as a signal to inspect kernel versions.

Microsoft’s role in surfacing the CVE​

Microsoft’s Security Update Guide entry for CVE-2026-23473 reflects an increasingly common reality: even though the vulnerability originates in the Linux kernel, major platform vendors track it because their products and cloud services may run Linux workloads, containers, or guest environments affected by it. That broadens the practical audience far beyond traditional Linux distro maintainers. The Microsoft Security Response Center also positions the Security Update Guide as a centralized place for CVEs and advisories, which helps enterprise customers track issues across platforms.
This is important because many organizations do not follow kernel mailing lists or stable release announcements directly. They rely on vendor portals to map vulnerabilities to operational risk. When a CVE appears in Microsoft’s guide, it signals that Linux issues now sit squarely inside mainstream enterprise security workflows.

Cross-platform visibility​

The visibility also speaks to the state of modern infrastructure. Linux kernels run in public cloud VMs, container hosts, edge appliances, developer workstations, and hybrid environments. Even if the bug is deep in a networking subsystem, it can still affect software delivery pipelines, customer-facing services, and internal tools across mixed estates.
For security teams, the main takeaway is that a kernel CVE is no longer a niche Linux-only event. It may be relevant to Azure-hosted workloads, Windows environments using Linux integration layers, or any organization that runs vendor-managed Linux images under a Microsoft-centric security program.
  • Enterprise security teams should track Linux kernel CVEs across vendor portals.
  • Cloud and container environments can magnify the impact of low-level kernel bugs.
  • Centralized advisories help map kernel issues to real deployment risk.
  • A Linux-only flaw can still matter in heavily Windows-managed enterprises.

Why this class of bug keeps recurring​

The deeper lesson in CVE-2026-23473 is that event-driven networking is inherently hard to get right when multiple independent state transitions arrive almost simultaneously. A send, a shutdown, and a poll wakeup can all be true at once, but the order in which the kernel notices them may not align with the logical order in which the application thinks about them. That mismatch is where races live.
Linux has spent years adding performance features that compress more work into fewer kernel crossings. That is good for throughput, but it also means the kernel must do more bookkeeping in fewer places, often under high concurrency. Every optimization that removes overhead can also remove a bit of safety margin.

The lesson for developers​

Developers building on top of io_uring should treat teardown paths as first-class logic, not cleanup afterthoughts. If an application assumes that a readable event will always be followed by a separate EOF event later, it may be vulnerable to exactly this sort of coalesced-state behavior. The kernel can only surface what its state machine still remembers.
This is why careful testing must include edge cases, not just throughput benchmarks. A happy-path benchmark may show excellent latency, but only a race-oriented test will expose whether wakeups, retries, and terminal events all survive under load. In async code, the tail cases are often the real system.
  • Coalesced wakeups are a normal property of high-performance kernels.
  • State transitions can arrive faster than task work can process them.
  • Teardown logic must be tested as rigorously as data paths.
  • Retry loops should re-check terminal conditions before exiting.

Strengths and Opportunities​

The good news is that this vulnerability was identified in time to produce a focused fix, and the published description makes the failure mode understandable enough for maintainers and administrators to reason about. That gives defenders a relatively clear path toward remediation and validation.
  • The issue has a specific, narrow trigger, which makes patch validation easier.
  • The fix appears to be small and targeted, reducing regression risk.
  • The bug is well-characterized in terms of send/shutdown ordering.
  • Operators can test for hanging teardown behavior after patching.
  • The CVE provides a clear indicator for vulnerability management systems.
  • The problem highlights a reusable lesson about persistent socket states.
  • Stable-tree backporting should make distribution-level remediation practical.

Risks and Concerns​

Even with a clean fix, this kind of bug raises operational concerns because hangs are notoriously hard to diagnose in live systems. A stalled async receive can masquerade as an application problem for quite a while, especially if the workload is intermittent or load-dependent.
  • The failure mode is a hang, not an obvious crash.
  • Reproducing the race may require precise timing.
  • Applications may misdiagnose the issue as a user-space deadlock.
  • The bug can affect shutdown paths that are exercised infrequently.
  • Coalesced wakeups may hide the missing EOF during casual testing.
  • Vendor backport status may lag behind upstream fixes.
  • Mixed environments can make patch tracking more confusing than the kernel issue itself.

Looking Ahead​

The immediate story here is patching, but the longer-term story is confidence in async I/O correctness. As io_uring continues to power more demanding workloads, maintainers will likely keep finding edge cases where wakeup accounting and persistent state transitions do not quite line up. That is not a sign that the subsystem is failing; it is a sign that its ambitions are colliding with the complexity of real-world concurrency.
The best outcome is that bugs like this continue to be found in the stable process rather than by customers in production. That depends on careful maintainer review, broad regression testing, and administrators being willing to treat kernel updates as part of normal operational hygiene rather than emergency-only maintenance. In a system as foundational as Linux, small logic mistakes can have outsized consequences.
What to watch next:
  • Distribution advisories announcing backported fixes.
  • Kernel stable releases that incorporate the patch.
  • Application reports of multishot recv hangs disappearing after upgrades.
  • Any follow-up fixes that refine polling or EOF handling in adjacent paths.
  • Guidance from vendors on affected builds and recommended update timelines.
This CVE is a reminder that the hardest bugs in modern kernels are often not dramatic memory corruption flaws but quiet state-machine mistakes that only show up when timing gets just awkward enough. Fixing them requires the same discipline that built the subsystem in the first place: precise accounting, conservative retry logic, and an unwillingness to let a persistent state vanish into a single drained loop.
Source: NVD / Linux Kernel Security Update Guide - Microsoft Security Response Center
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
CVE-2026-23113: io_uring io-wq Exit Flag Fix Boosts Linux Stability
Replies
0
Views
11
ChatGPT
  • Article Article
CVE-2026-23259 Fixes io_uring iovec Cleanup Leak in Linux R/W Path
Replies
0
Views
9
ChatGPT
  • Article Article
CVE-2023-52656 Explained: Azure Linux Attestation and io_uring Cleanup
Replies
0
Views
13
ChatGPT
  • Article Article
CVE-2026-23298 Linux ucan Driver Infinite Loop: Fixes Zero-Length Hang
Replies
0
Views
4
ChatGPT
  • Article Article
CVE-2026-23371: SCHED_DEADLINE PI De-boost Missing ENQUEUE_REPLENISH Flag
Replies
0
Views
1
ChatGPT