Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring/kbuf: check if target buffer list is still legacy on recycle

There's a gap between when the buffer was grabbed and when it
potentially gets recycled, where if the list is empty, someone could've
upgraded it to a ring provided type. This can happen if the request
is forced via io-wq. The legacy recycling is missing checking if the
buffer_list still exists, and if it's of the correct type. Add those
checks.
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability affects the Linux kernel’s io_uring buffer management. A gap occurs between the time a buffer is grabbed and when it is recycled; if a legacy buffer list has been replaced or is empty, the kernel could upgrade the list to a ring‑provided type without verifying its existence or type. This missing validation could allow an attacker to introduce a malformed or unexpected buffer type into the io_uring recycling path, potentially leading to memory corruption or other unintended kernel behavior. The description specifically notes that the legacy recycling logic failed to ensure the buffer list still existed and was correctly typed.

Affected Systems

All Linux kernel releases that include the io_uring kbuf subsystem are affected because the vendor list only references Linux. No specific version range is provided, so any kernel build that has not integrated the fix may be vulnerable.

Risk and Exploitability

The CVSS score is 7.0 and the vulnerability is not listed in the CISA KEV catalog, indicating that no public exploit is known. However, the flaw requires the attacker to manipulate io_uring requests, likely by forcing work via the io‑work queue. If exploited, the lack of checks could lead to kernel memory corruption or stability issues. Because the EPSS score is not available, the predicted exploitation probability remains uncertain but should be treated as possible; high‑privilege processes that rely on io_uring are the primary target.

Generated by OpenCVE AI on May 9, 2026 at 01:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel patch that adds checks for buffer list existence and correct type before recycling in the io_uring subsystem
  • If an immediate kernel upgrade is not possible, disable or restrict usage of io_uring or the io‑work queue for untrusted applications to mitigate the risk of buffer misuse
  • Monitor kernel logs and system stability for signs of abnormal io_uring behavior and apply additional mitigations such as memory protection hardening if corruption is observed.

Generated by OpenCVE AI on May 9, 2026 at 01:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: check if target buffer list is still legacy on recycle There's a gap between when the buffer was grabbed and when it potentially gets recycled, where if the list is empty, someone could've upgraded it to a ring provided type. This can happen if the request is forced via io-wq. The legacy recycling is missing checking if the buffer_list still exists, and if it's of the correct type. Add those checks.
Title io_uring/kbuf: check if target buffer list is still legacy on recycle
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:21:19.191Z

Reserved: 2026-05-01T14:12:56.005Z

Link: CVE-2026-43366

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:47.623

Modified: 2026-05-08T15:16:47.623

Link: CVE-2026-43366

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43366 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T02:00:19Z

Weaknesses