CVE-2026-43442

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the io uring component where the boundary check for 128-byte Submission Queue Entry (SQE) operations in the io init req() function validates the logical SQ head position instead of the physical SQE index when IORING SETUP SQE MIXED is used without IORING SETUP NO SQARRAY. An unprivileged user can utilize sq array to remap a logical position to an arbitrary physical index. By setting sq array[N] to sq entries - 1, a 128-byte operation is placed at the last physical SQE slot, leading the io uring cmd sqe copy() function to read 64 bytes beyond the end of the SQE array.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.