Kernels from 5.10 to 5.11 are affected, if not patched or updated
The bug
The io_uring subsystem contained a bug in a io_req_init_async function: incorrect pointer was used in the assignment that lead to possible dereference of a deleted pointer, which in turn can be exploited to achieve local privilege escalation:
struct io_uring_task *tctx = current->io_uring;
while the correct operation is:
struct io_uring_task *tctx = req->task->io_uring;
Indeed, the current pointer is used improperly
Useful Links