CVE-2026-43442 (GCVE-0-2026-43442)

Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-08 14:22
VLAI?
Title
io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops
Summary
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY, the boundary check for 128-byte SQE operations in io_init_req() validated the logical SQ head position rather than the physical SQE index. The existing check: !(ctx->cached_sq_head & (ctx->sq_entries - 1)) ensures the logical position isn't at the end of the ring, which is correct for NO_SQARRAY rings where physical == logical. However, when sq_array is present, an unprivileged user can remap any logical position to an arbitrary physical index via sq_array. Setting sq_array[N] = sq_entries - 1 places a 128-byte operation at the last physical SQE slot, causing the 128-byte memcpy in io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE array. Replace the cached_sq_head alignment check with a direct validation of the physical SQE index, which correctly handles both sq_array and NO_SQARRAY cases.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1cba30bf9fdd6c982708f3587f609a30c370d889 , < 1f794f9bed3e5cf7250a3b4daf112a72ed1513e9 (git)
Affected: 1cba30bf9fdd6c982708f3587f609a30c370d889 , < 6f02c6b196036dbb6defb4647d8707d29b7fe95b (git)
Create a notification for this product.
    Linux Linux Affected: 6.19
Unaffected: 0 , < 6.19 (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "io_uring/io_uring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1f794f9bed3e5cf7250a3b4daf112a72ed1513e9",
              "status": "affected",
              "version": "1cba30bf9fdd6c982708f3587f609a30c370d889",
              "versionType": "git"
            },
            {
              "lessThan": "6f02c6b196036dbb6defb4647d8707d29b7fe95b",
              "status": "affected",
              "version": "1cba30bf9fdd6c982708f3587f609a30c370d889",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "io_uring/io_uring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.19"
            },
            {
              "lessThan": "6.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops\n\nWhen IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY,\nthe boundary check for 128-byte SQE operations in io_init_req()\nvalidated the logical SQ head position rather than the physical SQE\nindex.\n\nThe existing check:\n\n  !(ctx-\u003ecached_sq_head \u0026 (ctx-\u003esq_entries - 1))\n\nensures the logical position isn\u0027t at the end of the ring, which is\ncorrect for NO_SQARRAY rings where physical == logical. However, when\nsq_array is present, an unprivileged user can remap any logical\nposition to an arbitrary physical index via sq_array. Setting\nsq_array[N] = sq_entries - 1 places a 128-byte operation at the last\nphysical SQE slot, causing the 128-byte memcpy in\nio_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE\narray.\n\nReplace the cached_sq_head alignment check with a direct validation\nof the physical SQE index, which correctly handles both sq_array and\nNO_SQARRAY cases."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T14:22:10.656Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1f794f9bed3e5cf7250a3b4daf112a72ed1513e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f02c6b196036dbb6defb4647d8707d29b7fe95b"
        }
      ],
      "title": "io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43442",
    "datePublished": "2026-05-08T14:22:10.656Z",
    "dateReserved": "2026-05-01T14:12:56.009Z",
    "dateUpdated": "2026-05-08T14:22:10.656Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43442",
      "date": "2026-05-10",
      "epss": "0.00018",
      "percentile": "0.05089"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43442\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T15:16:56.663\",\"lastModified\":\"2026-05-08T15:16:56.663\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops\\n\\nWhen IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY,\\nthe boundary check for 128-byte SQE operations in io_init_req()\\nvalidated the logical SQ head position rather than the physical SQE\\nindex.\\n\\nThe existing check:\\n\\n  !(ctx-\u003ecached_sq_head \u0026 (ctx-\u003esq_entries - 1))\\n\\nensures the logical position isn\u0027t at the end of the ring, which is\\ncorrect for NO_SQARRAY rings where physical == logical. However, when\\nsq_array is present, an unprivileged user can remap any logical\\nposition to an arbitrary physical index via sq_array. Setting\\nsq_array[N] = sq_entries - 1 places a 128-byte operation at the last\\nphysical SQE slot, causing the 128-byte memcpy in\\nio_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE\\narray.\\n\\nReplace the cached_sq_head alignment check with a direct validation\\nof the physical SQE index, which correctly handles both sq_array and\\nNO_SQARRAY cases.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1f794f9bed3e5cf7250a3b4daf112a72ed1513e9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6f02c6b196036dbb6defb4647d8707d29b7fe95b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.