CVE-2026-43442
Analyzed Analyzed - Analysis Complete
Buffer Overflow in Linux Kernel io_uring

Publication date: 2026-05-08

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY, the boundary check for 128-byte SQE operations in io_init_req() validated the logical SQ head position rather than the physical SQE index. The existing check: !(ctx->cached_sq_head & (ctx->sq_entries - 1)) ensures the logical position isn't at the end of the ring, which is correct for NO_SQARRAY rings where physical == logical. However, when sq_array is present, an unprivileged user can remap any logical position to an arbitrary physical index via sq_array. Setting sq_array[N] = sq_entries - 1 places a 128-byte operation at the last physical SQE slot, causing the 128-byte memcpy in io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE array. Replace the cached_sq_head alignment check with a direct validation of the physical SQE index, which correctly handles both sq_array and NO_SQARRAY cases.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-21
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43442
EUVD
EUVD-2026-28748
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's io_uring subsystem, specifically related to the handling of 128-byte submission queue entries (SQEs) when using the SQE_MIXED feature without the NO_SQARRAY flag.

The issue is that the boundary check for these 128-byte SQE operations validated the logical SQ head position instead of the physical SQE index. This means that when the sq_array feature is used, an unprivileged user can manipulate the logical-to-physical mapping to place a 128-byte operation at the last physical SQE slot.

As a result, a 128-byte memcpy operation reads 64 bytes beyond the end of the SQE array, potentially causing out-of-bounds memory access.

The fix involved replacing the logical position check with a direct validation of the physical SQE index, correctly handling both sq_array and NO_SQARRAY cases.

Impact Analysis

This vulnerability can lead to out-of-bounds memory reads in the Linux kernel's io_uring subsystem.

An unprivileged user could exploit this to read memory beyond the intended buffer, potentially exposing sensitive kernel memory contents.

Such memory disclosure could lead to information leaks, which attackers might use to further compromise the system or escalate privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43442. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart