CVE-2026-43006
Awaiting Analysis Awaiting Analysis - Queue
Zero-Length Fixed Buffer Import in Linux Kernel

Publication date: 2026-05-01

Last updated on: 2026-05-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: reject zero-length fixed buffer import validate_fixed_range() admits buf_addr at the exact end of the registered region when len is zero, because the check uses strict greater-than (buf_end > imu->ubuf + imu->len). io_import_fixed() then computes offset == imu->len, which causes the bvec skip logic to advance past the last bio_vec entry and read bv_offset from out-of-bounds slab memory. Return early from io_import_fixed() when len is zero. A zero-length import has no data to transfer and should not walk the bvec array at all. BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0 Read of size 4 at addr ffff888002bcc254 by task poc/103 Call Trace: io_import_reg_buf+0x697/0x7f0 io_write_fixed+0xd9/0x250 __io_issue_sqe+0xad/0x710 io_issue_sqe+0x7d/0x1100 io_submit_sqes+0x86a/0x23c0 __do_sys_io_uring_enter+0xa98/0x1590 Allocated by task 103: The buggy address is located 12 bytes to the right of allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-03
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-43006
EUVD
EUVD-2026-26605
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's io_uring subsystem, specifically in the handling of fixed buffer imports. The function validate_fixed_range() incorrectly allows a zero-length buffer at the exact end of a registered memory region due to a strict greater-than check. As a result, io_import_fixed() calculates an offset that causes it to read beyond the allocated bio_vec array, accessing out-of-bounds slab memory. This can lead to a slab-out-of-bounds read error.

The fix involves returning early from io_import_fixed() when the length of the buffer is zero, preventing any out-of-bounds memory access since a zero-length import should not process the bio_vec array.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to read memory outside the intended bounds, potentially leading to system instability or crashes due to slab-out-of-bounds errors. While the description does not explicitly mention exploitation scenarios, out-of-bounds reads can sometimes be leveraged to leak sensitive information or cause denial of service.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart