CVE-2026-31774 Overview
CVE-2026-31774 is a slab-out-of-bounds read vulnerability in the Linux kernel's io_uring/net subsystem. The flaw resides in io_bundle_nbufs() and stems from an integer truncation issue where sqe->len (a __u32) is stored into sr->len (an int). When userspace supplies a value greater than INT_MAX, sr->len overflows to a negative number and propagates through the bundle receive path, eventually producing an infinite loop that reads past an allocated iov[] array in the kmalloc-64 slab.
The vulnerability is tracked under [CWE-125] Out-of-Bounds Read and affects Linux kernel 7.0 release candidates.
Critical Impact
Local unprivileged users can trigger a slab-out-of-bounds read in kernel memory, leading to information disclosure or kernel panic and denial of service.
Affected Products
- Linux Kernel 7.0-rc1 through 7.0-rc6
- Linux Kernel builds with io_uring and bundle recv/send support enabled
- Distributions shipping pre-release 7.0 kernels
Discovery Timeline
- 2026-05-01 - CVE-2026-31774 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31774
Vulnerability Analysis
The vulnerability exists in the io_uring networking bundle path. The io_uring submission queue entry (sqe) defines len as an unsigned 32-bit integer, but the networking request structure sr stores it as a signed int. This type mismatch enables an integer overflow when userspace passes values exceeding INT_MAX, such as 0xFFFFFFFF.
Once sr->len becomes negative, it is assigned to sel.val in io_recv() as a ssize_t of -1. That value is then cast to size_t in io_recv_buf_select(), producing arg.max_len = 0xFFFFFFFFFFFFFFFF. With an effectively unbounded max_len, io_ring_buffers_peek() skips clamping and writes oversized values into iov[].iov_len.
The corrupted iovec entries flow into io_bundle_nbufs(), where min_t(int, 0xFFFFFFFF, ret) evaluates to -1. The loop counter then increments rather than decrements, advancing past the allocated iovec array in the kmalloc-64 slab. KASAN reports the resulting out-of-bounds read at io_bundle_nbufs+0x128/0x160.
Root Cause
The root cause is missing input validation. sqe->len is treated as a signed integer downstream without verifying that the supplied value fits within the positive int range. Any value greater than INT_MAX is silently reinterpreted as negative, breaking length-clamping logic across the bundle receive and send paths.
Attack Vector
A local user with permission to issue io_uring operations can craft a submission queue entry with len set to a value above INT_MAX (for example, 0xFFFFFFFF) and submit a bundle recv or send request. No additional privileges are required beyond the ability to use io_uring, and no user interaction is needed.
The vulnerability is described in prose because no public proof-of-concept code is available. See the upstream patch commits for the exact code paths and fix details.
Detection Methods for CVE-2026-31774
Indicators of Compromise
- KASAN reports referencing slab-out-of-bounds in io_bundle_nbufs in kernel logs or dmesg output
- Unexpected kernel panics or oops traces with io_recv or io_recv_finish in the call stack
- Processes issuing io_uringIORING_OP_RECV or IORING_OP_SEND operations with len values above 0x7FFFFFFF
Detection Strategies
- Enable KASAN on test and pre-production kernels to catch out-of-bounds reads in the io_uring/net path
- Audit io_uring usage with eBPF or perf probes on io_recv, io_recv_finish, and io_bundle_nbufs to flag oversized len values
- Monitor kernel logs for repeated io_uring-related KASAN or BUG entries, which can indicate exploitation attempts
Monitoring Recommendations
- Forward dmesg and /var/log/kern.log to a centralized logging platform and alert on KASAN, BUG:, or io_bundle_nbufs strings
- Track which workloads use io_uring networking opcodes, especially in multi-tenant or container hosts
- Review host stability metrics for new kernel panics correlated with io_uring-heavy applications
How to Mitigate CVE-2026-31774
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the vendor advisories and reboot affected hosts
- Inventory hosts running Linux 7.0 release candidates and prioritize patching multi-tenant and untrusted-workload systems
- Restrict io_uring access on systems where it is not required, using the kernel.io_uring_disabled sysctl on supported kernels
Patch Information
The issue is fixed by rejecting negative sr->len values early in io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is a __u32, any value greater than INT_MAX is treated as invalid. The fix is available in the following commits: Kernel Patch Commit 1b655cd3, Kernel Patch Commit 90ced24c, Kernel Patch Commit b948f9d5, and Kernel Patch Commit c314b405.
Workarounds
- Disable io_uring system-wide where feasible by setting kernel.io_uring_disabled=2 to prevent unprivileged use
- Use seccomp profiles to block the io_uring_setup, io_uring_enter, and io_uring_register syscalls for untrusted workloads
- Limit container and sandbox access to io_uring through Kubernetes seccomp defaults or Docker policy until kernels are patched
# Disable io_uring for all users until patched
sysctl -w kernel.io_uring_disabled=2
echo 'kernel.io_uring_disabled=2' >> /etc/sysctl.d/99-io-uring.conf
# Verify the setting is applied
sysctl kernel.io_uring_disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
