Bug 2468226 (CVE-2026-43442) - CVE-2026-43442 kernel: io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops
Summary: CVE-2026-43442 kernel: io_uring: fix physical SQE bounds check for SQE_MIXED ...
Keywords:
Status: NEW
Alias: CVE-2026-43442
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-08 15:05 UTC by OSIDB Bzimport
Modified: 2026-05-09 00:18 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-08 15:05:46 UTC 
In the Linux kernel, the following vulnerability has been resolved:

io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops

When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY,
the boundary check for 128-byte SQE operations in io_init_req()
validated the logical SQ head position rather than the physical SQE
index.

The existing check:

  !(ctx->cached_sq_head & (ctx->sq_entries - 1))

ensures the logical position isn't at the end of the ring, which is
correct for NO_SQARRAY rings where physical == logical. However, when
sq_array is present, an unprivileged user can remap any logical
position to an arbitrary physical index via sq_array. Setting
sq_array[N] = sq_entries - 1 places a 128-byte operation at the last
physical SQE slot, causing the 128-byte memcpy in
io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE
array.

Replace the cached_sq_head alignment check with a direct validation
of the physical SQE index, which correctly handles both sq_array and
NO_SQARRAY cases.
Comment 1 Keith Grant 2026-05-09 00:16:41 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050854-CVE-2026-43442-88f3@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.