CVE-2026-43442 Overview
CVE-2026-43442 is a Linux kernel vulnerability in the io_uring subsystem. The flaw involves an incorrect bounds check for 128-byte Submission Queue Entry (SQE) operations when IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY. An unprivileged local user can remap a logical SQ position to an arbitrary physical SQE index, causing a 128-byte memcpy in io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE array.
Critical Impact
A local unprivileged attacker can trigger an out-of-bounds read in kernel memory, leading to information disclosure or kernel crash conditions affecting system availability.
Affected Products
- Linux kernel versions implementing IORING_SETUP_SQE_MIXED support in io_uring
- Distributions shipping affected upstream kernels prior to the fix commits
- Systems with io_uring enabled for unprivileged users
Discovery Timeline
- 2026-05-08 - CVE-2026-43442 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43442
Vulnerability Analysis
The vulnerability resides in io_init_req() within the Linux kernel io_uring subsystem. When a userspace application initializes an io_uring instance with IORING_SETUP_SQE_MIXED and the SQ array indirection enabled, the kernel must validate that 128-byte SQE operations do not cross the physical boundary of the SQE buffer.
The pre-patch check !(ctx->cached_sq_head & (ctx->sq_entries - 1)) validates the logical SQ head position. This assumes the logical position equals the physical SQE index, which only holds when IORING_SETUP_NO_SQARRAY is used. With the SQ array present, userspace controls the mapping from logical to physical indices.
A local attacker can set sq_array[N] = sq_entries - 1, directing a 128-byte SQE operation to the final physical slot. The subsequent memcpy in io_uring_cmd_sqe_copy() then reads 64 bytes beyond the allocated SQE array.
Root Cause
The boundary check operates on the logical SQ head index rather than the physical SQE index. This is a classic confusion between an attacker-controlled indirection layer and the underlying memory layout. Because sq_array is mapped to userspace and writable by the ring owner, the kernel cannot trust the logical-to-physical mapping when enforcing safety invariants.
Attack Vector
Exploitation requires local access and the ability to create an io_uring instance. The attacker creates a ring with IORING_SETUP_SQE_MIXED and without IORING_SETUP_NO_SQARRAY, populates sq_array so a 128-byte op maps to the last physical SQE index, then submits the operation. The resulting out-of-bounds read in io_uring_cmd_sqe_copy() exposes adjacent kernel memory to the request handler or destabilizes the kernel. The CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H reflects local exploitation by a low-privilege user with high confidentiality and availability impact.
No public proof-of-concept code has been released. See the upstream fix commits 1f794f9bed3e and 6f02c6b19603 for the corrected validation logic.
Detection Methods for CVE-2026-43442
Indicators of Compromise
- Unexpected kernel oops, KASAN reports, or BUG: messages referencing io_uring_cmd_sqe_copy or io_init_req in dmesg
- Processes creating io_uring instances with IORING_SETUP_SQE_MIXED flag from unprivileged contexts
- Unusual ring configurations where sq_array entries are repeatedly set to high indices approaching sq_entries - 1
Detection Strategies
- Audit io_uring_setup syscalls and flag invocations using IORING_SETUP_SQE_MIXED without IORING_SETUP_NO_SQARRAY
- Enable kernel runtime memory safety tooling such as KASAN in test environments to catch out-of-bounds reads
- Monitor kernel logs for crash signatures originating from the io_uring subsystem
Monitoring Recommendations
- Collect and centralize auditd records for io_uring_setup, io_uring_enter, and io_uring_register syscalls
- Track kernel ring buffer messages for KASAN, slab-out-of-bounds, or general protection faults tied to io_uring
- Inventory hosts running kernels that include SQE_MIXED support to scope exposure
How to Mitigate CVE-2026-43442
Immediate Actions Required
- Apply the upstream kernel patches referenced in the fix commits and rebuild or update affected kernels
- Restrict io_uring to trusted users via kernel.io_uring_disabled sysctl where the workload allows
- Identify hosts exposing io_uring to untrusted local users such as container workloads or multi-tenant systems and prioritize patching
Patch Information
The fix replaces the cached_sq_head alignment check with direct validation of the physical SQE index, correctly handling both sq_array and NO_SQARRAY configurations. Apply the upstream commits 1f794f9bed3e5cf7250a3b4daf112a72ed1513e9 and 6f02c6b196036dbb6defb4647d8707d29b7fe95b, or update to a distribution kernel that incorporates them.
Workarounds
- Disable io_uring system-wide by setting kernel.io_uring_disabled=2 via sysctl where workloads do not require it
- Use seccomp profiles or Landlock policies to block io_uring_setup for untrusted processes and containers
- Limit container runtimes to seccomp defaults that deny io_uring syscalls until the patched kernel is deployed
# Disable io_uring for all users until the patched kernel is deployed
echo 'kernel.io_uring_disabled = 2' | sudo tee /etc/sysctl.d/99-disable-io_uring.conf
sudo sysctl --system
# Verify the setting
sysctl kernel.io_uring_disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
