GHSA-5MWR-6PQP-C5QM
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-03 09:33In the Linux kernel, the following vulnerability has been resolved:
io_uring/rsrc: reject zero-length fixed buffer import
validate_fixed_range() admits buf_addr at the exact end of the registered region when len is zero, because the check uses strict greater-than (buf_end > imu->ubuf + imu->len). io_import_fixed() then computes offset == imu->len, which causes the bvec skip logic to advance past the last bio_vec entry and read bv_offset from out-of-bounds slab memory.
Return early from io_import_fixed() when len is zero. A zero-length import has no data to transfer and should not walk the bvec array at all.
BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0 Read of size 4 at addr ffff888002bcc254 by task poc/103 Call Trace: io_import_reg_buf+0x697/0x7f0 io_write_fixed+0xd9/0x250 __io_issue_sqe+0xad/0x710 io_issue_sqe+0x7d/0x1100 io_submit_sqes+0x86a/0x23c0 __do_sys_io_uring_enter+0xa98/0x1590 Allocated by task 103: The buggy address is located 12 bytes to the right of allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)
{
"affected": [],
"aliases": [
"CVE-2026-43006"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T15:16:44Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rsrc: reject zero-length fixed buffer import\n\nvalidate_fixed_range() admits buf_addr at the exact end of the\nregistered region when len is zero, because the check uses strict\ngreater-than (buf_end \u003e imu-\u003eubuf + imu-\u003elen). io_import_fixed()\nthen computes offset == imu-\u003elen, which causes the bvec skip logic\nto advance past the last bio_vec entry and read bv_offset from\nout-of-bounds slab memory.\n\nReturn early from io_import_fixed() when len is zero. A zero-length\nimport has no data to transfer and should not walk the bvec array\nat all.\n\n BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0\n Read of size 4 at addr ffff888002bcc254 by task poc/103\n Call Trace:\n io_import_reg_buf+0x697/0x7f0\n io_write_fixed+0xd9/0x250\n __io_issue_sqe+0xad/0x710\n io_issue_sqe+0x7d/0x1100\n io_submit_sqes+0x86a/0x23c0\n __do_sys_io_uring_enter+0xa98/0x1590\n Allocated by task 103:\n The buggy address is located 12 bytes to the right of\n allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)",
"id": "GHSA-5mwr-6pqp-c5qm",
"modified": "2026-05-03T09:33:10Z",
"published": "2026-05-01T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43006"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/040a1e7e0e2f01851fec1dd2d96906f8636a9f75"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/111a12b422a8cfa93deabaef26fec48237163214"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/40170fc1a79c1b2e68f09ae6aac687b7305ae6f4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.