Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring/rsrc: reject zero-length fixed buffer import

validate_fixed_range() admits buf_addr at the exact end of the
registered region when len is zero, because the check uses strict
greater-than (buf_end > imu->ubuf + imu->len). io_import_fixed()
then computes offset == imu->len, which causes the bvec skip logic
to advance past the last bio_vec entry and read bv_offset from
out-of-bounds slab memory.

Return early from io_import_fixed() when len is zero. A zero-length
import has no data to transfer and should not walk the bvec array
at all.

BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0
Read of size 4 at addr ffff888002bcc254 by task poc/103
Call Trace:
io_import_reg_buf+0x697/0x7f0
io_write_fixed+0xd9/0x250
__io_issue_sqe+0xad/0x710
io_issue_sqe+0x7d/0x1100
io_submit_sqes+0x86a/0x23c0
__do_sys_io_uring_enter+0xa98/0x1590
Allocated by task 103:
The buggy address is located 12 bytes to the right of
allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)
Published: 2026-05-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a local actor to trigger a slab‑out‑of‑bounds read in the Linux kernel by issuing an io_uring import with a zero‑length buffer. The validate_fixed_range function incorrectly accepts a buffer address that lies exactly at the end of a registered region when the length is zero. As a result, io_import_fixed calculates an offset equal to the buffer length and walks the underlying bvec array one step beyond its last valid entry, reading a bvec offset from memory beyond the allocated slab. This causes a kernel crash as reported by KASAN, potentially terminating the offending process or the entire system. The flaw is a buffer overflow (CWE‑125) and a memory read (CWE‑805), with no direct code execution.

Affected Systems

All Linux kernel builds that have not yet incorporated the patch commits 040a1e7e0e2f01851fec1dd2d96906f8636a9f75, 111a12b422a8cfa93deabaef26fec48237163214, or 40170fc1a79c1b2e68f09ae6aac687b7305ae6f4 are potentially vulnerable. The advisory lists the vendor as Linux:Linux, indicating that the issue affects the kernel itself rather than a specific distribution. Precise version ranges are not provided, so administrators should verify whether their running kernel includes these commits.

Risk and Exploitability

Risk remains significant due to a CVSS score of 7.1. The EPSS score of 0.00013 indicates a very low probability of exploitation, and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that an attacker must be able to submit a crafted io_uring syscall with a zero‑length import; this could be performed by a local user or an unprivileged process that can craft the call. While the vulnerability occurs in the kernel, a successful crash may provide a weak path to privilege escalation, but such an outcome has not been demonstrated.

Generated by OpenCVE AI on May 12, 2026 at 22:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the patch commits referenced in the advisory (040a1e7e0e2f01851fec1dd2d96906f8636a9f75, 111a12b422a8cfa93deabaef26fec48237163214, or 40170fc1a79c1b2e68f09ae6aac687b7305ae6f4).
  • Apply the specific kernel patch that adds a return‑early check for zero‑length imports if an immediate kernel upgrade is not possible.
  • Avoid using io_import_fixed with a length of zero in application code until the kernel fix is applied.

Generated by OpenCVE AI on May 12, 2026 at 22:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: reject zero-length fixed buffer import validate_fixed_range() admits buf_addr at the exact end of the registered region when len is zero, because the check uses strict greater-than (buf_end > imu->ubuf + imu->len). io_import_fixed() then computes offset == imu->len, which causes the bvec skip logic to advance past the last bio_vec entry and read bv_offset from out-of-bounds slab memory. Return early from io_import_fixed() when len is zero. A zero-length import has no data to transfer and should not walk the bvec array at all. BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0 Read of size 4 at addr ffff888002bcc254 by task poc/103 Call Trace: io_import_reg_buf+0x697/0x7f0 io_write_fixed+0xd9/0x250 __io_issue_sqe+0xad/0x710 io_issue_sqe+0x7d/0x1100 io_submit_sqes+0x86a/0x23c0 __do_sys_io_uring_enter+0xa98/0x1590 Allocated by task 103: The buggy address is located 12 bytes to the right of allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)
Title io_uring/rsrc: reject zero-length fixed buffer import
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:15:52.862Z

Reserved: 2026-05-01T14:12:55.974Z

Link: CVE-2026-43006

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:44.450

Modified: 2026-05-12T19:32:36.973

Link: CVE-2026-43006

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43006 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses