CVE-2026-53191

In the Linux kernel, the following vulnerability has been resolved:

io uring/net: inherit IORING CQE F BUF MORE across bundle recv retries

When a bundle recv retries inside io recv finish(), the merge logic OR the saved cflags from the previous iteration with the cflags returned by the new iteration: cflags = req->cqe.flags | (cflags & CQE F MASK);

Bits listed in CQE F MASK are inherited from the new iteration, and all other bits (notably IORING CQE F BUFFER and the buffer ID) come from the saved cflags. Before this change CQE F MASK covered only IORING CQE F SOCK NONEMPTY and IORING CQE F MORE.

When using provided buffer rings (IOU PBUF RING INC) with incremental mode, and bundle recv, io kbuf inc commit() can leave the head ring entry partially consumed, io put kbufs() then sets IORING CQE F BUF MORE on the returned cflags so userspace knows the buffer ID will be reused for subsequent completions.

Because IORING CQE F BUF MORE was not in CQE F MASK, the merge above silently dropped it whenever the final retry iteration partially consumed the buffer, and the subsequent req->cqe.flags = cflags & ~CQE F MASK save would have left a stale IORING CQE F BUF MORE in the carried-over cflags had one been present. Userspace would then wrongfully advance it ring head past an entry the kernel still uses.

Add IORING CQE F BUF MORE to CQE F MASK so it is both inherited from the new iteration into the user-visible CQE and stripped from the saved cflags between iterations.