Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check

__io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte
SQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second
half of the SQE would be past the end of the sq_sqes array. The current
check tests (++sq_head & sq_mask) == 0, but sq_head is only incremented
when a 128-byte SQE is encountered, not on every iteration. The actual
array index is sq_idx = (i + sq_head) & sq_mask, which can be sq_mask
(the last slot) while the wrap check passes.

Fix by checking sq_idx directly. Keep the sq_head increment so the loop
still skips the second half of the 128-byte SQE on the next iteration.
Published: 2026-04-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Information Disclosure
Action: Patch Kernel
AI Analysis

Impact

This Linux kernel flaw in the io_uring subsystem enables an out‑of‑bounds read during the __io_uring_show_fdinfo routine, which appears when the kernel tries to display file descriptor information for a mixed‑size SQE ring. The wrong wrap‑around check uses an incremented counter instead of the actual array index, allowing the routine to read past the end of the sq_sqes array and potentially expose kernel memory content to an attacker with local user rights. The exposed data may contain sensitive information such as credentials or configuration details, but the vulnerability does not permit arbitrary code execution.

Affected Systems

The issue is present in all Linux kernels that contain the vulnerable io_uring implementation before the commit that introduced the fix. Distributions shipping kernel releases that have not yet applied this patch are affected. No specific version numbers were provided, so all kernel builds prior to the commit are considered potentially vulnerable.

Risk and Exploitability

The flaw requires a local process that can invoke the __io_uring_show_fdinfo routine, implying that only privileged or local users can exploit it. The CVSS score of 7.1 indicates a significant threat, while the EPSS score of less than 1% indicates that malicious exploitation is currently unlikely. Because the vulnerability is not listed in CISA KEV, there are no confirmed exploit cases yet. Nonetheless, the data leakage could be valuable for a local adversary seeking to pivot to higher privileges or gain additional system context.

Generated by OpenCVE AI on April 28, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that contains the io_uring OOB read fix.
  • Reboot the system so the upgraded kernel becomes active.
  • If an update is not yet available, temporarily disable the io_uring API or restrict its use until the patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check __io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte SQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second half of the SQE would be past the end of the sq_sqes array. The current check tests (++sq_head & sq_mask) == 0, but sq_head is only incremented when a 128-byte SQE is encountered, not on every iteration. The actual array index is sq_idx = (i + sq_head) & sq_mask, which can be sq_mask (the last slot) while the wrap check passes. Fix by checking sq_idx directly. Keep the sq_head increment so the loop still skips the second half of the 128-byte SQE on the next iteration.
Title io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:37.439Z

Reserved: 2026-03-09T15:48:24.101Z

Link: CVE-2026-31484

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:45.800

Modified: 2026-04-28T13:39:16.760

Link: CVE-2026-31484

cve-icon Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31484 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:45:06Z

Weaknesses