CVE-2026-31774
Awaiting Analysis Awaiting Analysis - Queue
Integer Overflow in Linux Kernel io_uring

Publication date: 2026-05-01

Last updated on: 2026-05-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs() sqe->len is __u32 but gets stored into sr->len which is int. When userspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF), sr->len overflows to a negative value. This negative value propagates through the bundle recv/send path: 1. io_recv(): sel.val = sr->len (ssize_t gets -1) 2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets 0xFFFFFFFFFFFFFFFF) 3. io_ring_buffers_peek(): buf->len is not clamped because max_len is astronomically large 4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs() 5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1, causing ret to increase instead of decrease, creating an infinite loop that reads past the allocated iov[] array This results in a slab-out-of-bounds read in io_bundle_nbufs() from the kmalloc-64 slab, as nbufs increments past the allocated iovec entries. BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160 Read of size 8 at addr ffff888100ae05c8 by task exp/145 Call Trace: io_bundle_nbufs+0x128/0x160 io_recv_finish+0x117/0xe20 io_recv+0x2db/0x1160 Fix this by rejecting negative sr->len values early in both io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32, any value > INT_MAX indicates overflow and is not a valid length.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-03
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31774
EUVD
EUVD-2026-26587
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's io_uring/net subsystem, specifically in the io_bundle_nbufs() function. It arises because a length value (sqe->len), which is an unsigned 32-bit integer (__u32), is stored into a signed integer (int) field (sr->len). When userspace passes a length value greater than INT_MAX (for example, 0xFFFFFFFF), this causes an integer overflow, turning sr->len into a negative value.

This negative value then propagates through several functions, causing size variables to become extremely large due to type conversions and lack of proper clamping. Eventually, this leads to an infinite loop in io_bundle_nbufs() where the function reads beyond the allocated memory (slab-out-of-bounds read) because the loop counter increases instead of decreasing.

The issue is fixed by rejecting negative sr->len values early in the processing functions io_sendmsg_prep() and io_recvmsg_prep(), since any sqe->len value greater than INT_MAX is invalid.


How can this vulnerability impact me? :

This vulnerability can lead to a slab-out-of-bounds read in the Linux kernel, which means the kernel reads memory beyond the allocated buffer. Such out-of-bounds reads can cause system instability, crashes, or potentially expose sensitive kernel memory contents to an attacker.

Because the issue involves an infinite loop caused by incorrect length handling, it may also lead to denial of service (DoS) conditions by exhausting system resources or causing kernel panics.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by rejecting negative sr->len values early in both io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32, any value greater than INT_MAX indicates overflow and is not a valid length.

Therefore, the immediate mitigation step is to update the Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart