CVE-2025-71149

When the core of iouring was updated to handle completions consistently and with fixed return codes, the POLLREMOVE opcode with updates got slightly broken. If a POLLADD is pending and then POLLREMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted.

Additionally, ensure that if an update does cause an existing POLLADD to complete, that the completion value isn't always overwritten with -ECANCELED. For that case, whatever iopoll_add() set the value to should just be retained.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71149.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

97b388d70b53fd7d286ac1b81e5a88bd6af98209

Fixed

8b777ab48441b153502772ecfc78c107d4353f29

Fixed

0126560370ed5217958b85657b590ad25e8b9c00

Fixed

c1669c03bfbc2a9b5ebff4428eecebe734c646fe

Fixed

13a8f7b88c2d40c6b33f6216190478dda95d385f

Fixed

84230ad2d2afbf0c44c32967e525c0ad92e26b4e

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71149.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.1.160

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.120

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.64

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71149.json"