An out‑of‑bounds read occurs in the Linux kernel’s io_uring implementation. When the IORING_SETUP_SQE_MIXED flag is enabled without IORING_SETUP_NO_SQARRAY, a bounds check that was meant to guard a 128‑byte SQE operation validates the logical queue head instead of the physical SQE index. The sq_array interface lets an unprivileged user map a logical position to any physical slot, so setting sq_array[N] to the last physical entry causes the 128‑byte memcpy in io_uring_cmd_sqe_copy() to read 64 bytes beyond the end of the SQE array. Based on the description, it is inferred that this over‑read could disclose adjacent kernel memory contents, but the original text does not confirm a direct privilege escalation or code execution capability.

All Linux kernels that implement io_uring and allow the IORING_SETUP_SQE_MIXED flag without IORING_SETUP_NO_SQARRAY are affected. The vulnerability is present in the generic linux_kernel releases and specifically in the 7.0 release candidates (rc1, rc2, rc3) until the commit that replaces the improper bounds check is merged. Distributions packaging kernel versions prior to this commit, regardless of patch level, remain vulnerable unless the kernel is rebuilt or the feature is disabled.

The CVSS score of 7.1 indicates a high severity impact, while the EPSS score of less than 1 % signals a very low probability that this flaw will be actively exploited. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local: an attacker only needs the ability to create an io_uring instance with the SQE_MIXED flag and manipulate the sq_array entries, a capability available to unprivileged users by default. Based on the description, it is inferred that the exploit allows an out‑of‑bounds read of kernel memory but does not directly provide elevation of privilege or arbitrary code execution; however, the leaked data could assist in a combination attack.