upvote

points

by ciconia8 hours ago |
comments
upvoteby jfindley6 hours ago|
next
[-]
There are a couple of notable examples of projects[0] and companies[1] that have got tired of it, and no longer use it.

There's considerable difficulty these days extrapolating "real" vulnerabilities from kernel CVEs, as the kernel team quite reasonably feel that basically any bug can be a vulnerability in the right situation, but the list of vulnerabilities in io_uring over the past 12 months[2] is pretty staggering to me.

0: https://github.com/containerd/containerd/pull/9320 1: https://security.googleblog.com/2023/06/learnings-from-kctf-... 3: https://nvd.nist.gov/vuln/search#/nvd/home?offset=0&rowCount...

reply
upvoteby dspillett8 hours ago|
prev|
[-]
Not OP, and I'm no expert in the area at all, but I _do_ have a feeling that there have been quite a few such issues posted here and elsewhere that I read in the last year.

https://www.cve.org/CVERecord/SearchResults?query=io_uring seems to back that up. Only one relevant CVE listed there for 2026 so far, for more than two per month on average in 2025. Caveat: I've not looked into the severity and ease of exploit for any of those issues listed.

reply
upvoteby pocksuppet7 hours ago|
parent|
[-]
Did you read the CVEs? Half these aren't vulnerabilities. One allows the root user to create a kernel thread and then block its shutdown for several minutes. One is that if you do something that's obviously stupid, you don't get an event notification for it.

Remember the Linux kernel's policy of assigning a CVE to every single bug, in protest to the stupid way CVEs were being assigned before that.

reply
upvoteby dspillett6 hours ago|
parent|
[-]
> Did you read the CVEs?

You obviously didn't read to the end of my little post, yet feel righteous enough to throw that out…

> One allows the root user to create a kernel thread and then block its shutdown for several minutes.

Which as part of a compromise chain could cause a DoS issue that might be able to bypass common protections like cgroup imposed limits.

reply
upvoteby nine_k3 hours ago|
parent|
[-]
If we apply risk/reward analysis, how probable is such a chain of exploits? If you already got local root, you might as well do a little bit more than a simple DoS.

Depending on how much performance would be gained by using io_uring in a particular case, and how many layers of protection exist around your server, it might be a risk worth taking.

reply