Skip to main content

Linux Kernel EUVDEUVD-2026-26587

| CVE-2026-31774 HIGH
Out-of-bounds Read (CWE-125)
2026-05-01 Linux
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:31 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.1 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26587
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()

sqe->len is __u32 but gets stored into sr->len which is int. When userspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF), sr->len overflows to a negative value. This negative value propagates through the bundle recv/send path:

  1. io_recv(): sel.val = sr->len (ssize_t gets -1)
  2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets

0xFFFFFFFFFFFFFFFF)

  1. io_ring_buffers_peek(): buf->len is not clamped because max_len

is astronomically large

  1. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs()
  2. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1,

causing ret to increase instead of decrease, creating an infinite loop that reads past the allocated iov[] array

This results in a slab-out-of-bounds read in io_bundle_nbufs() from the kmalloc-64 slab, as nbufs increments past the allocated iovec entries.

BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160 Read of size 8 at addr ffff888100ae05c8 by task exp/145 Call Trace: io_bundle_nbufs+0x128/0x160 io_recv_finish+0x117/0xe20 io_recv+0x2db/0x1160

Fix this by rejecting negative sr->len values early in both io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32, any value > INT_MAX indicates overflow and is not a valid length.

AnalysisAI

Integer overflow in Linux kernel io_uring subsystem allows local authenticated users to trigger slab-out-of-bounds memory reads and denial of service. The vulnerability stems from improper type casting of user-supplied length values in network bundled receive/send operations, where values exceeding INT_MAX cause negative overflow leading to infinite loops and out-of-bounds array access. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Vendor patches available for affected stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0), making this a straightforward patching priority for systems running vulnerable versions with io_uring enabled.

Technical ContextAI

This vulnerability affects the io_uring asynchronous I/O framework in the Linux kernel, specifically the network operations code path (io_uring/net). The flaw occurs in the bundled receive/send implementation where a __u32 (unsigned 32-bit) sqe->len field from userspace is stored into an int (signed 32-bit) sr->len variable without validation. When users submit io_uring submission queue entries (SQE) with len values greater than INT_MAX (0x7FFFFFFF), the signed integer overflows to negative values. This corrupted length propagates through multiple functions: io_recv() converts it to ssize_t, io_recv_buf_select() casts to size_t (creating values like 0xFFFFFFFFFFFFFFFF on 64-bit systems), and io_ring_buffers_peek() fails to clamp buffer lengths. The final manifestation occurs in io_bundle_nbufs() where min_t(int, 0xFFFFFFFF, ret) performs signed comparison, yielding -1 and creating an infinite loop that increments past the allocated iovec array boundaries. The vulnerability demonstrates classic integer overflow/signedness mismatch issues common in kernel code interfacing with user-supplied data structures. The io_uring subsystem was introduced in Linux 5.1 and has become a performance-critical component for high-throughput network and storage applications.

RemediationAI

Upgrade to patched Linux kernel stable releases: version 7.0 for mainline users, 6.19.12 for 6.19.x series, 6.18.22 for 6.18.x series, or 6.12.81 for 6.12.x LTS series. Kernel patches available at git.kernel.org stable tree (commits c314b405dcc4, 90ced24c500a, 1b655cd31134, b948f9d5d305). Distribution-specific updates: monitor vendor security advisories for backported fixes to enterprise kernels (RHEL, Ubuntu, SUSE). For systems unable to patch immediately, implement compensating controls: (1) Disable io_uring via sysctl by setting io_uring_disabled=2 in /etc/sysctl.conf (note: this breaks applications relying on io_uring including some database and proxy configurations - verify application compatibility before deployment), (2) Restrict io_uring_setup() syscall using seccomp-bpf filters in containerized environments (requires application testing), or (3) Limit local user access and enforce mandatory access controls (SELinux/AppArmor) to reduce attacker foothold (does not prevent exploitation by compromised legitimate users). Each mitigation trades functionality or usability for security: disabling io_uring impacts application performance significantly, seccomp filtering requires per-application tuning, and access controls only reduce attack surface without eliminating the vulnerability. Patching remains the only complete remediation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26587 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy