Skip to main content

Linux Kernel EUVDEUVD-2026-32246

| CVE-2026-45962 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6w6r-q9pw-cwq6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.1 MEDIUM

AV:L and PR:L because only local low-privilege io_uring access is needed; C:L reflects the plausible kernel memory exposure from the OOB read, consistent with the EUVD Information Disclosure tag despite the official C:N.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 02:42 vuln.today
CVSS changed
Jun 16, 2026 - 02:37 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ublk: Validate SQE128 flag before accessing the cmd

ublk_ctrl_cmd_dump() accesses (header *)sqe->cmd before IO_URING_F_SQE128 flag check. This could cause out of boundary memory access.

Move the SQE128 flag check earlier in ublk_ctrl_uring_cmd() to return -EINVAL immediately if the flag is not set.

AnalysisAI

Out-of-bounds memory access in the Linux kernel ublk (userspace block device) subsystem allows a local low-privilege user to crash the kernel by submitting an io_uring control command without the IO_URING_F_SQE128 flag set. The root cause is that ublk_ctrl_cmd_dump() unconditionally accesses the extended cmd field of a Submission Queue Entry before ublk_ctrl_uring_cmd() validates that the SQE is 128 bytes in size, reading beyond the 64-byte standard SQE boundary. No public exploit is identified at time of analysis, and the EPSS score of 0.02% at the 7th percentile signals very low exploitation probability.

Technical ContextAI

The Linux kernel's ublk subsystem enables block device implementation in userspace, communicating via io_uring's uring_cmd interface. io_uring supports two SQE sizes: standard 64-byte and extended 128-byte (SQE128). The IO_URING_F_SQE128 flag is the kernel's signal that a submission entry carries the full 128-byte layout, making the second 64-byte block - including the cmd field - safe to access. In the vulnerable code path, ublk_ctrl_cmd_dump() unconditionally casts sqe->cmd as a (header *) without first confirming that IO_URING_F_SQE128 is set by ublk_ctrl_uring_cmd(). When the flag is absent, the SQE occupies only 64 bytes, making the cmd field access an out-of-bounds read that can cause a kernel crash. Affected products are described by CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* beginning at commit 71f28f3136aff5890cd56de78abc673f8393cad9. No CWE is assigned by NVD, but the pattern aligns with CWE-125 (Out-of-bounds Read) based on the pre-validation memory access described in the commit.

RemediationAI

The primary remediation is to upgrade the Linux kernel to a patched stable release: 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0, depending on the branch tracked by the distribution. Upstream fix commits are available at https://git.kernel.org/stable/c/17d33ba7291100008360b5a354962db37ad80684, https://git.kernel.org/stable/c/31cac6acf77ece488f29fb8f79589d9298e969c8, https://git.kernel.org/stable/c/4b4dff498f46e9802f71bc84258bf73065f51c6a, https://git.kernel.org/stable/c/da7e4b75e50c087d2031a92f6646eb90f7045a67, https://git.kernel.org/stable/c/dbe8e81a2ec608f87f79a34f6444cd62f6a243bb, and https://git.kernel.org/stable/c/f75a5555e0049e7857eae25b60aee98b80e287ec. Where patching is not immediately possible on systems with untrusted local users, two compensating controls apply: first, on Linux 6.3+ systems, restrict io_uring system-wide via 'sysctl -w kernel.io_uring_disabled=1' - trade-off is that this breaks all applications using io_uring including high-performance storage and network stacks; second, if the ublk subsystem is not required, blacklist the module with 'echo blacklist ublk_drv >> /etc/modprobe.d/blacklist.conf && modprobe -r ublk_drv' - this has no side effects on systems not using userspace block devices and eliminates the attack surface entirely.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy