Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops

When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY,
the boundary check for 128-byte SQE operations in io_init_req()
validated the logical SQ head position rather than the physical SQE
index.

The existing check:

!(ctx->cached_sq_head & (ctx->sq_entries - 1))

ensures the logical position isn't at the end of the ring, which is
correct for NO_SQARRAY rings where physical == logical. However, when
sq_array is present, an unprivileged user can remap any logical
position to an arbitrary physical index via sq_array. Setting
sq_array[N] = sq_entries - 1 places a 128-byte operation at the last
physical SQE slot, causing the 128-byte memcpy in
io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE
array.

Replace the cached_sq_head alignment check with a direct validation
of the physical SQE index, which correctly handles both sq_array and
NO_SQARRAY cases.
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s io_uring implementation mistakenly uses a logical queue head value to perform a boundary check for 128‑byte SQE operations instead of validating the physical SQE index. When IORING_SETUP_SQE_MIXED is used without the IORING_SETUP_NO_SQARRAY flag, an attacker can remap a logical position to an arbitrary physical index via the sq_array interface. Setting sq_array[N] to the last physical slot forces the kernel to copy 128 bytes from that location, which reads 64 bytes past the end of the SQE array, potentially revealing adjacent kernel memory contents.

Affected Systems

Any Linux kernel that still uses the pre-fix io_uring logic is affected. The vulnerability applies to all kernel releases before the commit that corrects the boundary check, regardless of distribution or package version, as long as the SQE_MIXED mode is available in the running kernel.

Risk and Exploitability

The EPSS score is less than 1 %, indicating a very low likelihood of exploitation. The vulnerability is not listed in CISA's KEV catalog and no CVSS score is provided in the data. Exploitation requires local access to create an io_uring instance with SQE_MIXED and the ability to manipulate sq_array; it does not provide privilege escalation or arbitrary code execution, but it does enable kernel‑memory disclosure that could be leveraged by other attacks.

Generated by OpenCVE AI on May 9, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that contains the commit which fixes the SQE bounds check (e.g., 1f794f9 or 6f02c6b).
  • Rebuild or reconfigure the kernel with CONFIG_IO_URING_SQ_ARRAY disabled or avoid using the IORING_SETUP_SQE_MIXED flag so the offending boundary check cannot be triggered.
  • Employ a security policy such as SELinux or AppArmor to restrict unprivileged users from setting the IORING_SETUP_SQE_MIXED flag when creating io_uring instances until the kernel is updated.

Generated by OpenCVE AI on May 9, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-127

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References

Fri, 08 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-127

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY, the boundary check for 128-byte SQE operations in io_init_req() validated the logical SQ head position rather than the physical SQE index. The existing check: !(ctx->cached_sq_head & (ctx->sq_entries - 1)) ensures the logical position isn't at the end of the ring, which is correct for NO_SQARRAY rings where physical == logical. However, when sq_array is present, an unprivileged user can remap any logical position to an arbitrary physical index via sq_array. Setting sq_array[N] = sq_entries - 1 places a 128-byte operation at the last physical SQE slot, causing the 128-byte memcpy in io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE array. Replace the cached_sq_head alignment check with a direct validation of the physical SQE index, which correctly handles both sq_array and NO_SQARRAY cases.
Title io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:22:10.656Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43442

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:56.663

Modified: 2026-05-08T15:16:56.663

Link: CVE-2026-43442

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43442 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T16:30:37Z

Weaknesses