Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()

sqe->len is __u32 but gets stored into sr->len which is int. When
userspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF),
sr->len overflows to a negative value. This negative value propagates
through the bundle recv/send path:

1. io_recv(): sel.val = sr->len (ssize_t gets -1)
2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets
0xFFFFFFFFFFFFFFFF)
3. io_ring_buffers_peek(): buf->len is not clamped because max_len
is astronomically large
4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs()
5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1,
causing ret to increase instead of decrease, creating an
infinite loop that reads past the allocated iov[] array

This results in a slab-out-of-bounds read in io_bundle_nbufs() from
the kmalloc-64 slab, as nbufs increments past the allocated iovec
entries.

BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160
Read of size 8 at addr ffff888100ae05c8 by task exp/145
Call Trace:
io_bundle_nbufs+0x128/0x160
io_recv_finish+0x117/0xe20
io_recv+0x2db/0x1160

Fix this by rejecting negative sr->len values early in both
io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32,
any value > INT_MAX indicates overflow and is not a valid length.
Published: 2026-05-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an integer overflow that occurs when userspace passes a sqe->len value that exceeds INT_MAX. The overflow turns a 32‑bit unsigned length into a negative signed value, which is later interpreted as an astronomically large size when the kernel processes receive/send messages via io_uring. Because the size is not clamped, the kernel repeatedly reads past the end of the iovec array in io_bundle_nbufs(). This out‑of‑bounds read pulls data from the kmalloc‑64 slab, causing the kernel to expose potentially sensitive data and potentially crash. The weakness is an integer overflow leading to memory corruption (CWE‑190, CWE‑681).

Affected Systems

All Linux kernel releases that do not include the commit that implements the check for negative sr->len values, i.e. kernels before the patch applied in the commit chain referenced in the advisory. Distribution kernels that are out‑of‑date relative to the latest kernel releases are affected.

Risk and Exploitability

Because the flaw is triggered by a user‑controlled io_uring submission, an attacker with local kernel access or the ability to run a program that submits crafted io_uring requests could exploit the bug. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is not explicitly provided but the nature of the bug suggests a high potential for information disclosure if successfully leveraged.

Generated by OpenCVE AI on May 2, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the commit eliminating negative sr->len values in io_sendmsg_prep() and io_recvmsg_prep().
  • If an immediate kernel update is not possible, disable io_uring support in userland applications or suspend io_uring usage until a patched kernel is available.
  • Enable kernel hardening or monitor for KASAN faults that indicate slab‑out‑of‑bounds read errors, and investigate any such incidents promptly.

Generated by OpenCVE AI on May 2, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-681

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs() sqe->len is __u32 but gets stored into sr->len which is int. When userspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF), sr->len overflows to a negative value. This negative value propagates through the bundle recv/send path: 1. io_recv(): sel.val = sr->len (ssize_t gets -1) 2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets 0xFFFFFFFFFFFFFFFF) 3. io_ring_buffers_peek(): buf->len is not clamped because max_len is astronomically large 4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs() 5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1, causing ret to increase instead of decrease, creating an infinite loop that reads past the allocated iov[] array This results in a slab-out-of-bounds read in io_bundle_nbufs() from the kmalloc-64 slab, as nbufs increments past the allocated iovec entries. BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160 Read of size 8 at addr ffff888100ae05c8 by task exp/145 Call Trace: io_bundle_nbufs+0x128/0x160 io_recv_finish+0x117/0xe20 io_recv+0x2db/0x1160 Fix this by rejecting negative sr->len values early in both io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32, any value > INT_MAX indicates overflow and is not a valid length.
Title io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:15:02.903Z

Reserved: 2026-03-09T15:48:24.140Z

Link: CVE-2026-31774

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:40.720

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31774

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:30:36Z

Weaknesses