* CVE-2026-43366: io_uring/kbuf: check if target buffer list is still legacy on recycle
@ 2026-05-08 14:21 Greg Kroah-Hartman
0 siblings, 0 replies; only message in thread
From: Greg Kroah-Hartman @ 2026-05-08 14:21 UTC (permalink / raw)
To: linux-cve-announce; +Cc: Greg Kroah-Hartman
From: Greg Kroah-Hartman <gregkh@kernel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
io_uring/kbuf: check if target buffer list is still legacy on recycle
There's a gap between when the buffer was grabbed and when it
potentially gets recycled, where if the list is empty, someone could've
upgraded it to a ring provided type. This can happen if the request
is forced via io-wq. The legacy recycling is missing checking if the
buffer_list still exists, and if it's of the correct type. Add those
checks.
The Linux kernel CVE team has assigned CVE-2026-43366 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.19 with commit c7fb19428d67dd0a2a78a4f237af01d39c78dc5a and fixed in 6.1.167 with commit a7b33671e418fca507feebd1d56e7f4952a4b25c
Issue introduced in 5.19 with commit c7fb19428d67dd0a2a78a4f237af01d39c78dc5a and fixed in 6.6.130 with commit 439a6728ec4641ffad1ca796622c19bc525e570f
Issue introduced in 5.19 with commit c7fb19428d67dd0a2a78a4f237af01d39c78dc5a and fixed in 6.12.78 with commit f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa
Issue introduced in 5.19 with commit c7fb19428d67dd0a2a78a4f237af01d39c78dc5a and fixed in 6.18.19 with commit 50ad880db3013c6fee0ef13781762a39e2e7ef83
Issue introduced in 5.19 with commit c7fb19428d67dd0a2a78a4f237af01d39c78dc5a and fixed in 6.19.9 with commit 97b57f69fee1b61b41acbf37e7720cac9d389fa4
Issue introduced in 5.19 with commit c7fb19428d67dd0a2a78a4f237af01d39c78dc5a and fixed in 7.0 with commit c2c185be5c85d37215397c8e8781abf0a69bec1f
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2026-43366
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
io_uring/kbuf.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/a7b33671e418fca507feebd1d56e7f4952a4b25c
https://git.kernel.org/stable/c/439a6728ec4641ffad1ca796622c19bc525e570f
https://git.kernel.org/stable/c/f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa
https://git.kernel.org/stable/c/50ad880db3013c6fee0ef13781762a39e2e7ef83
https://git.kernel.org/stable/c/97b57f69fee1b61b41acbf37e7720cac9d389fa4
https://git.kernel.org/stable/c/c2c185be5c85d37215397c8e8781abf0a69bec1f
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-08 14:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08 14:21 CVE-2026-43366: io_uring/kbuf: check if target buffer list is still legacy on recycle Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox