CVE-2026-43442
Buffer Overflow in Linux Kernel io_uring
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
| linux_kernel | io_uring | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's io_uring subsystem, specifically related to the handling of 128-byte submission queue entries (SQEs) when using the SQE_MIXED feature without the NO_SQARRAY flag.
The issue is that the boundary check for these 128-byte SQE operations validated the logical SQ head position instead of the physical SQE index. This means that when the sq_array feature is used, an unprivileged user can manipulate the logical-to-physical mapping to place a 128-byte operation at the last physical SQE slot.
As a result, a 128-byte memcpy operation reads 64 bytes beyond the end of the SQE array, potentially causing out-of-bounds memory access.
The fix involved replacing the logical position check with a direct validation of the physical SQE index, correctly handling both sq_array and NO_SQARRAY cases.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds memory reads in the Linux kernel's io_uring subsystem.
An unprivileged user could exploit this to read memory beyond the intended buffer, potentially exposing sensitive kernel memory contents.
Such memory disclosure could lead to information leaks, which attackers might use to further compromise the system or escalate privileges.