Skip to main content

Linux Kernel CVE-2026-43442

| EUVDEUVD-2026-28748 HIGH
2026-05-08 Linux GHSA-cmw3-52p3-wrx5
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:36 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.1 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:22 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops

When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY, the boundary check for 128-byte SQE operations in io_init_req() validated the logical SQ head position rather than the physical SQE index.

The existing check:

!(ctx->cached_sq_head & (ctx->sq_entries - 1))

ensures the logical position isn't at the end of the ring, which is correct for NO_SQARRAY rings where physical == logical. However, when sq_array is present, an unprivileged user can remap any logical position to an arbitrary physical index via sq_array. Setting sq_array[N] = sq_entries - 1 places a 128-byte operation at the last physical SQE slot, causing the 128-byte memcpy in io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE array.

Replace the cached_sq_head alignment check with a direct validation of the physical SQE index, which correctly handles both sq_array and NO_SQARRAY cases.

AnalysisAI

Local unprivileged users can trigger out-of-bounds memory reads in Linux kernel's io_uring subsystem (versions 6.19+) via crafted SQE array mappings when IORING_SETUP_SQE_MIXED is enabled without NO_SQARRAY. By manipulating sq_array indices to point to the last physical SQE slot and submitting 128-byte operations, attackers cause a 64-byte buffer over-read during memcpy operations, potentially leaking sensitive kernel memory. Vendor patches available for affected 6.19.x branches. EPSS score of 0.02% indicates very low observed exploitation probability; no CISA KEV listing or public exploit identified at time of analysis.

Technical ContextAI

This vulnerability affects the io_uring asynchronous I/O subsystem introduced in Linux kernel 5.1, specifically the SQE (Submission Queue Entry) handling logic when using the IORING_SETUP_SQE_MIXED flag with submission queue arrays. The io_uring interface allows user space to submit I/O operations through a shared ring buffer. When IORING_SETUP_SQE_MIXED is configured without IORING_SETUP_NO_SQARRAY, applications can use 128-byte extended SQE operations alongside standard 64-byte entries. The vulnerable code path occurs in io_init_req() where boundary validation checks the logical cached_sq_head position rather than the physical SQE index derived from the user-controlled sq_array mapping. This architectural mismatch allows an attacker to manipulate the sq_array indirection table to place a 128-byte operation at the final physical slot, causing io_uring_cmd_sqe_copy() to read 64 bytes beyond the allocated SQE buffer during its memcpy operation. The affected CPE strings indicate this impacts general Linux kernel distributions starting from commit 1cba30bf9fdd6c982708f3587f609a30c370d889 in the 6.19 development cycle.

RemediationAI

Upgrade to patched Linux kernel versions: 6.19.9 or later for 6.19.x branch, or version 7.0 or later per EUVD affected version data. Patches available via upstream commits 1f794f9bed3e5cf7250a3b4daf112a72ed1513e9 and 6f02c6b196036dbb6defb4647d8707d29b7fe95b from https://git.kernel.org/stable/. If immediate patching is not feasible, disable IORING_SETUP_SQE_MIXED flag in io_uring configurations or enforce IORING_SETUP_NO_SQARRAY mode to eliminate the sq_array indirection layer, though this breaks applications requiring mixed 64/128-byte SQE operations. Alternatively, restrict unprivileged user access to io_uring via sysctl kernel.io_uring_disabled=2 (blocks all non-root access) or =1 (requires CAP_SYS_ADMIN), accepting the trade-off of reduced io_uring functionality for unprivileged users. Note that restricting io_uring may impact performance of applications like PostgreSQL, databases, and high-performance networking tools that leverage this subsystem. Monitor kernel logs for io_uring-related errors after applying restrictions.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43442 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy