CVE-2026-31484
Received Received - Intake
Out-of-Bounds Read in Linux Kernel io_uring fdinfo Component

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check __io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte SQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second half of the SQE would be past the end of the sq_sqes array. The current check tests (++sq_head & sq_mask) == 0, but sq_head is only incremented when a 128-byte SQE is encountered, not on every iteration. The actual array index is sq_idx = (i + sq_head) & sq_mask, which can be sq_mask (the last slot) while the wrap check passes. Fix by checking sq_idx directly. Keep the sq_head increment so the loop still skips the second half of the 128-byte SQE on the next iteration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31484
EUVD
EUVD-2026-24847
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 6.19
linux linux_kernel From 6.19.1 (inc) to 6.19.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an out-of-bounds (OOB) read issue in the Linux kernel's io_uring subsystem, specifically in the fdinfo functionality. The problem occurs in the function __io_uring_show_fdinfo(), which iterates over pending submission queue entries (SQEs). For 128-byte SQEs on an IORING_SETUP_SQE_MIXED ring, the code attempts to detect when the second half of the SQE would exceed the bounds of the sq_sqes array. However, the existing check incorrectly uses an incremented sq_head value that does not account for every iteration, leading to a situation where the array index can point past the last valid slot, causing an out-of-bounds read.

The fix involves checking the actual array index (sq_idx) directly instead of relying on the sq_head increment condition. This ensures that the iteration does not read beyond the valid array boundary while maintaining the logic to skip the second half of the 128-byte SQE on the next iteration.


How can this vulnerability impact me? :

An out-of-bounds read vulnerability like this can potentially lead to information disclosure, where sensitive kernel memory might be read unintentionally. This could allow an attacker with access to the io_uring interface to gain unauthorized information about kernel memory contents.

While the description does not specify exploitation details such as privilege escalation or denial of service, out-of-bounds reads generally pose a risk of leaking sensitive data or causing system instability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart