Linux Kernel io_uring Wait Queue Race (CVE-2025-40047)
CVE-2025-40047 Published on October 28, 2025
io_uring/waitid: always prune wait queue entry in io_waitid_wait()
In the Linux kernel, the following vulnerability has been resolved:
io_uring/waitid: always prune wait queue entry in io_waitid_wait()
For a successful return, always remove our entry from the wait queue
entry list. Previously this was skipped if a cancelation was in
progress, but this can race with another invocation of the wait queue
entry callback.
Products Associated with CVE-2025-40047
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
Linux:- Version f31ecf671ddc498f20219453395794ff2383e06b and below 696ba6032081e617564a8113a001b8d7943cb928 is affected.
- Version f31ecf671ddc498f20219453395794ff2383e06b and below 3e2205db2f0608898d535da1964e1b376aacfdaa is affected.
- Version f31ecf671ddc498f20219453395794ff2383e06b and below 2f8229d53d984c6a05b71ac9e9583d4354e3b91f is affected.
- Version 6.7 is affected.
- Before 6.7 is unaffected.
- Version 6.12.53, <= 6.12.* is unaffected.
- Version 6.17.3, <= 6.17.* is unaffected.
- Version 6.18, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.