Home/CVE/In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: reject zero-length fixed buffer impo
CVE

CVE-2026-43006

In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: reject zero-length fixed buffer impo

In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: reject zero-length fixed buffer import validate_fixed_range() admits buf_addr at the exact end of the registered region when len is zero, because the check uses strict greater-than (buf_end > imu-ubuf + imu-len). io_import_fixed() then computes offset == imu-len, which causes the bvec skip logic to advance past the last bio_vec entry and read bv_offset from out-of-bounds slab memory. Return early from io_import_fixed() when len is zero. A zero-length import has no data to transfer and should not walk the bvec array at all.

BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0 Read of size 4 at addr ffff888002bcc254 by task poc/103 Call Trace: io_import_reg_buf+0x697/0x7f0 io_write_fixed+0xd9/0x250 __io_issue_sqe+0xad/0x710 io_issue_sqe+0x7d/0x1100 io_submit_sqes+0x86a/0x23c0 __do_sys_io_uring_enter+0xa98/0x1590 Allocated by task 103: The buggy address is located 12 bytes to the right of allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)

HIGH · CVSS 7.1 EPSS 0.00015
Schedule remediation
  • CVSS base score ≥ 7.0
Sigma rules0 YARA rules0

Weakness Classification

CWE-125Out-of-bounds Read

Affected Products & Versions

3
linux kernel>= 6.15 and < 6.18.22
linux kernel>= 6.19 and < 6.19.12
linux kernelall versions

Scoring & Timeline

7.1
HIGH · CVSS v3.1 · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
View on NVD
Attack Vector
Network Adjacent Local Physical
Attack Complexity
Low High
Privileges Required
None Low High
User Interaction
None Required
Scope
Unchanged Changed
Confidentiality
None Low High
Integrity
None Low High
Availability
None Low High
Published to NVD01 May 2026 · 03:16 PM
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Vendor Advisories

1
rhsaRHSA-2026:21557Moderate
🔗

References & Sources

3
Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.
https://git.kernel.org/stable/c/040a1e7e0e2f01851fec1dd2d96906f8636a9f75Patch
https://git.kernel.org/stable/c/111a12b422a8cfa93deabaef26fec48237163214Patch
https://git.kernel.org/stable/c/40170fc1a79c1b2e68f09ae6aac687b7305ae6f4Patch
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
NVDCVE.orgCISAVulnersExploit-DBGitHub PoCVulnCheck KEVGreyNoise
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin