VYPR
← All advisories
High severity7.1NVD Advisory· Published May 1, 2026· Updated May 7, 2026

CVE-2026-31774

CVE-2026-31774

Description

In the Linux kernel, the following vulnerability has been resolved:

io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()

sqe->len is __u32 but gets stored into sr->len which is int. When userspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF), sr->len overflows to a negative value. This negative value propagates through the bundle recv/send path:

1. io_recv(): sel.val = sr->len (ssize_t gets -1) 2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets 0xFFFFFFFFFFFFFFFF) 3. io_ring_buffers_peek(): buf->len is not clamped because max_len is astronomically large 4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs() 5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1, causing ret to increase instead of decrease, creating an infinite loop that reads past the allocated iov[] array

This results in a slab-out-of-bounds read in io_bundle_nbufs() from the kmalloc-64 slab, as nbufs increments past the allocated iovec entries.

BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160 Read of size 8 at addr ffff888100ae05c8 by task exp/145 Call Trace: io_bundle_nbufs+0x128/0x160 io_recv_finish+0x117/0xe20 io_recv+0x2db/0x1160

Fix this by rejecting negative sr->len values early in both io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32, any value > INT_MAX indicates overflow and is not a valid length.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A slab-out-of-bounds read in io_uring's bundle recv/send path arises from an integer truncation when a user-supplied sqe->len exceeds INT_MAX.

Vulnerability

CVE-2026-31774 is a slab-out-of-bounds read vulnerability exists in the Linux kernel's io_uring subsystem, specifically in the io_bundle_nbufs() function. The root cause is a type mismatch: sqe->len is stored as a 32-bit unsigned integer (__u32) from the submission queue entry (sqe->len) but is later assigned to an int variable (sr->len). When a user passes a value larger than INT_MAX (e.g., 0xFFFFFFFF), the signed integer overflows to a negative value. This negative length propagates through the bundle receive/send path, leading to an infinite loop that reads beyond the allocated iovec array, resulting in a slab-out-of-bounds read from the kmalloc-64 slab [1][2][3][4].

Exploitation

An attacker with the ability to submit io_uring requests (requires the io_uring system call and appropriate permissions) can trigger this vulnerability by crafting a submission queue entry with a len field greater than INT_MAX. No additional authentication is needed beyond the ability to use io_uring. The negative length causes io_recv() to set sel.val to -1, which is then cast to a size_t in io_recv_buf_select(), resulting in an extremely large max_len. This bypasses length clamping in io_ring_buffers_peek(), allowing an oversized iov_len to reach io_bundle_nbufs(), where the min_t(int, ...) operation yields -1, causing the loop counter to increase indefinitely and read out-of-bounds [1].

Impact

Successful exploitation leads to a slab-out-of-bounds read, which can leak sensitive kernel memory contents could be exposed to the attacker. This can result in information disclosure, potentially leaking data from other processes or the kernel itself. The vulnerability is rated High with a CVSS v3 score of 7.1, indicating significant confidentiality impact [1].

Mitigation

The fix, already applied in the Linux kernel stable tree, rejects negative sr->len values early in both io_sendmsg_prep() functions for send and receive operations. Since sqe->len is unsigned, any value exceeding INT_MAX is invalid and is now rejected. Users should update to a kernel version containing the commit 1b655cd31134 or later [1][2][3][4]. No workaround is available; patching is required.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • Linux/Kernelinferred8 versions
    (expand)+ 7 more
    • (no CPE)
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.10,<6.12.81
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

0

No linked articles in our index yet.