Pavel

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A race condition exists in the io uring/zcrx component on SMP systems between the scrub and refill paths. The `io zcrx put niov uref()` function employs a non-atomic check-then-decrement pattern using `atomic read` followed by `atomic dec` to manage `user refs`. While this is serialized by `rq lock`, the `io zcrx scrub()` function modifies the same counter using `atomic xchg()` without holding the `rq lock`. This concurrency can lead to a double-free scenario where the same `niov` is pushed to the freelist twice, causing the `free count` to exceed `nr iovs`. Consequently, subsequent freelist pushes may result in an out-of-bounds write of a u32 value past the kvmalloc'd freelist array into an adjacent slab object. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.