CVE-2026-43442

Source
https://cve.org/CVERecord?id=CVE-2026-43442
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43442.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43442
Downstream
Published
2026-05-08T14:22:10.656Z
Modified
2026-07-15T01:49:06.475060497Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops
Details

In the Linux kernel, the following vulnerability has been resolved:

iouring: fix physical SQE bounds check for SQEMIXED 128-byte ops

When IORINGSETUPSQEMIXED is used without IORINGSETUPNOSQARRAY, the boundary check for 128-byte SQE operations in ioinitreq() validated the logical SQ head position rather than the physical SQE index.

The existing check:

!(ctx->cachedsqhead & (ctx->sq_entries - 1))

ensures the logical position isn't at the end of the ring, which is correct for NOSQARRAY rings where physical == logical. However, when sqarray is present, an unprivileged user can remap any logical position to an arbitrary physical index via sqarray. Setting sqarray[N] = sqentries - 1 places a 128-byte operation at the last physical SQE slot, causing the 128-byte memcpy in iouringcmdsqe_copy() to read 64 bytes past the end of the SQE array.

Replace the cachedsqhead alignment check with a direct validation of the physical SQE index, which correctly handles both sqarray and NOSQARRAY cases.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43442.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1cba30bf9fdd6c982708f3587f609a30c370d889
Fixed
1f794f9bed3e5cf7250a3b4daf112a72ed1513e9
Fixed
6f02c6b196036dbb6defb4647d8707d29b7fe95b

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43442.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43442.json"