In the Linux kernel, the following vulnerability has been resolved:
iouring: fix physical SQE bounds check for SQEMIXED 128-byte ops
When IORINGSETUPSQEMIXED is used without IORINGSETUPNOSQARRAY, the boundary check for 128-byte SQE operations in ioinitreq() validated the logical SQ head position rather than the physical SQE index.
The existing check:
!(ctx->cachedsqhead & (ctx->sq_entries - 1))
ensures the logical position isn't at the end of the ring, which is correct for NOSQARRAY rings where physical == logical. However, when sqarray is present, an unprivileged user can remap any logical position to an arbitrary physical index via sqarray. Setting sqarray[N] = sqentries - 1 places a 128-byte operation at the last physical SQE slot, causing the 128-byte memcpy in iouringcmdsqe_copy() to read 64 bytes past the end of the SQE array.
Replace the cachedsqhead alignment check with a direct validation of the physical SQE index, which correctly handles both sqarray and NOSQARRAY cases.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43442.json",
"cna_assigner": "Linux"
}