In the Linux kernel, the following vulnerability has been resolved:
iouring/net: fix slab-out-of-bounds read in iobundle_nbufs()
sqe->len is _u32 but gets stored into sr->len which is int. When userspace passes sqe->len values exceeding INTMAX (e.g. 0xFFFFFFFF), sr->len overflows to a negative value. This negative value propagates through the bundle recv/send path:
This results in a slab-out-of-bounds read in iobundlenbufs() from the kmalloc-64 slab, as nbufs increments past the allocated iovec entries.
BUG: KASAN: slab-out-of-bounds in iobundlenbufs+0x128/0x160 Read of size 8 at addr ffff888100ae05c8 by task exp/145 Call Trace: iobundlenbufs+0x128/0x160 iorecvfinish+0x117/0xe20 io_recv+0x2db/0x1160
Fix this by rejecting negative sr->len values early in both iosendmsgprep() and iorecvmsgprep(). Since sqe->len is _u32, any value > INTMAX indicates overflow and is not a valid length.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31774.json",
"cna_assigner": "Linux"
}