Skip to main content

Linux Kernel EUVDEUVD-2026-26605

| CVE-2026-43006 HIGH
Out-of-bounds Read (CWE-125)
2026-05-01 Linux
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:33 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.1 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26605
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

io_uring/rsrc: reject zero-length fixed buffer import

validate_fixed_range() admits buf_addr at the exact end of the registered region when len is zero, because the check uses strict greater-than (buf_end > imu->ubuf + imu->len). io_import_fixed() then computes offset == imu->len, which causes the bvec skip logic to advance past the last bio_vec entry and read bv_offset from out-of-bounds slab memory.

Return early from io_import_fixed() when len is zero. A zero-length import has no data to transfer and should not walk the bvec array at all.

BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0 Read of size 4 at addr ffff888002bcc254 by task poc/103 Call Trace: io_import_reg_buf+0x697/0x7f0 io_write_fixed+0xd9/0x250 __io_issue_sqe+0xad/0x710 io_issue_sqe+0x7d/0x1100 io_submit_sqes+0x86a/0x23c0 __do_sys_io_uring_enter+0xa98/0x1590 Allocated by task 103: The buggy address is located 12 bytes to the right of allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)

AnalysisAI

Out-of-bounds memory read in Linux kernel io_uring subsystem allows local authenticated users to leak kernel memory or trigger denial of service. The vulnerability exists in io_uring's fixed buffer import logic when registering zero-length buffer regions, causing the bvec skip logic to read beyond allocated slab memory. Patches available across stable kernel branches (6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (4th percentile) indicates low likelihood of widespread exploitation. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.

Technical ContextAI

The vulnerability resides in the io_uring subsystem's resource management code (io_uring/rsrc.c), specifically in the validate_fixed_range() and io_import_fixed() functions. io_uring is a high-performance asynchronous I/O interface introduced in Linux 5.1 that allows userspace applications to submit I/O operations through shared ring buffers. Fixed buffers are pre-registered memory regions that improve performance by avoiding repeated buffer registration overhead. The flaw occurs when validate_fixed_range() incorrectly permits a buffer address at the exact end of a registered region when length is zero (due to using strict greater-than comparison: buf_end > imu->ubuf + imu->len). This causes io_import_fixed() to compute offset == imu->len, which triggers the bio_vec (bvec) skip logic to advance past the last valid bio_vec entry in the array and dereference uninitialized slab memory to read bv_offset. The bio_vec structure is the kernel's representation of physically contiguous memory segments used for I/O operations. This is a classic off-by-one boundary condition combined with improper zero-length input validation.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.22 or later for 6.18.x branch, 6.19.12 or later for 6.19.x branch, or 7.0 or later for mainline. Patches available from kernel.org stable tree via commits 040a1e7e0e2f (6.18 stable), 40170fc1a79c (6.19 stable), or 111a12b422a (mainline). For systems unable to immediately patch, implement compensating controls: restrict io_uring usage via sysctl (kernel.io_uring_disabled=2 for complete disablement, or =1 to restrict to CAP_SYS_ADMIN), though this breaks applications relying on io_uring for performance (PostgreSQL with io_uring support, high-performance network servers). Alternatively, use AppArmor/SELinux policies to restrict io_uring system calls to trusted processes only, though policy development requires careful testing to avoid breaking legitimate applications. Monitor for abnormal kernel crashes or KASAN reports in systems running affected versions. Complete io_uring disablement has significant performance trade-offs for I/O-intensive workloads and should be considered temporary until patching.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26605 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy