Skip to main content

Linux Kernel CVE-2026-43366

| EUVDEUVD-2026-28672 HIGH
2026-05-08 Linux GHSA-g6hq-4292-hhwx
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:28 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
HIGH 7.8
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

io_uring/kbuf: check if target buffer list is still legacy on recycle

There's a gap between when the buffer was grabbed and when it potentially gets recycled, where if the list is empty, someone could've upgraded it to a ring provided type. This can happen if the request is forced via io-wq. The legacy recycling is missing checking if the buffer_list still exists, and if it's of the correct type. Add those checks.

AnalysisAI

Local privilege escalation in Linux kernel io_uring subsystem allows authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact through improper buffer list type validation during recycling operations. The vulnerability stems from a race condition where buffer lists can be upgraded from legacy to ring-provided type between acquisition and recycling when requests are forced through io-wq, potentially leading to type confusion and memory corruption. Patches available across multiple kernel versions (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) with upstream commits confirmed. EPSS score is very low (0.02%, 7th percentile) indicating minimal observed exploitation probability despite high CVSS 7.8 rating. No KEV listing or public exploit identified at time of analysis.

Technical ContextAI

This vulnerability affects the io_uring subsystem in the Linux kernel, specifically the kernel buffer (kbuf) management mechanism introduced in commit c7fb19428d67 (kernel 5.19+). The io_uring framework provides high-performance asynchronous I/O operations with zero-copy buffer management. The flaw occurs in the buffer recycling path where legacy buffer lists can be dynamically upgraded to ring-provided buffer lists while requests are in-flight. When a request is forced to execute via io-wq (the io_uring worker thread pool), a time-of-check-time-of-use (TOCTOU) race condition exists between buffer acquisition and recycling. The legacy recycling code path fails to validate that the buffer_list still exists and remains the expected legacy type rather than having been upgraded to ring-provided type. This type confusion can lead to incorrect memory operations as the two buffer list types have different internal structures and lifecycle management. The affected CPE strings indicate all Linux kernel versions from 5.19 onward until patched versions are vulnerable.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.167 or later for 6.1.x LTS branch, 6.6.130 or later for 6.6.x LTS branch, 6.12.78 or later for 6.12.x stable, 6.18.19 or later for 6.18.x stable, 6.19.9 or later for 6.19.x stable, or version 7.0 for mainline. Kernel updates require system reboot to take effect, plan maintenance windows accordingly. For systems unable to immediately patch, consider disabling io_uring functionality entirely via sysctl by setting io_uring_disabled=2 in /etc/sysctl.conf (blocks all io_uring usage, will break applications depending on this interface such as newer PostgreSQL with io_uring support, high-performance storage applications, and some container runtimes). Alternatively, use kernel command line parameter io_uring_disabled=2 at boot. For containerized environments, consider using seccomp profiles to block io_uring_setup, io_uring_enter, and io_uring_register syscalls for untrusted workloads, though this provides incomplete protection if the host kernel is vulnerable and containers share the kernel namespace. Note that disabling io_uring may significantly impact performance of applications specifically optimized for this interface. Verify patch installation with uname -r and confirm io_uring/kbuf.c contains the buffer list type validation checks from commits referenced above.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43366 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy