Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45962

Description

In the Linux kernel, the following vulnerability has been resolved:

ublk: Validate SQE128 flag before accessing the cmd

ublk_ctrl_cmd_dump() accesses (header *)sqe->cmd before IO_URING_F_SQE128 flag check. This could cause out of boundary memory access.

Move the SQE128 flag check earlier in ublk_ctrl_uring_cmd() to return -EINVAL immediately if the flag is not set.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing SQE128 flag check in ublk_ctrl_cmd_dump() can cause out-of-bounds memory access; fixed by moving the check earlier.

Vulnerability

In the Linux kernel, the ublk_ctrl_cmd_dump() function in the ublk driver accesses (header *)sqe->cmd before validating that the IO_URING_F_SQE128 flag is set. This omission may lead to an out-of-bounds memory access because the sqe->cmd field is only valid when the SQE128 flag is present. The affected code is in the ublk_ctrl_uring_cmd() function, and the vulnerability exists in kernel versions prior to the fix commit da7e4b75e50c087d2031a92f6646eb90f7045a67 [1].

Exploitation

An attacker must have the ability to submit io_uring requests using the UBLK_CMD opcode to the ublk device. The attacker crafts an io_uring submission queue entry (SQE) without the IO_URING_F_SQE128 flag, which causes the ublk_ctrl_cmd_dump() function to incorrectly interpret memory beyond the intended sqe->cmd field. No special privileges other than access to the ublk character device are required; the attacker must be able to issue io_uring_enter() calls with appropriate parameters [1].

Impact

Successful exploitation results in an out-of-bounds memory read or potential write, which can lead to information disclosure or system instability. The attacker gains no elevated privileges directly from this bug, but leaking kernel memory contents could be used to bypass KASLR or obtain sensitive data [1].

Mitigation

The fix moves the IO_URING_F_SQE128 flag check earlier in ublk_ctrl_uring_cmd() so that the function returns -EINVAL immediately if the flag is not set. The commit da7e4b75e50c087d2031a92f6646eb90f7045a67 resolves the issue; users should apply the patch or update to a Linux kernel version that includes it. No workaround is available without patching [1].

References

Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linux/ublkllm-fuzzy
Ubuntu/Linux Kernelllm-fuzzy

Patches

da7e4b75e50c

ublk: Validate SQE128 flag before accessing the cmd

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGovindarajulu VaradarajanJan 30, 2026Fixed in 7.0via kernel-cna

commit

2 files changed · +6 −8

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 5efaf53261cecf..01088194c8d35d 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -5221,10 +5221,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	    issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 5efaf53261cecf..01088194c8d35d 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -5221,10 +5221,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	    issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

4b4dff498f46

ublk: Validate SQE128 flag before accessing the cmd

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGovindarajulu VaradarajanJan 30, 2026Fixed in 6.1.165via kernel-cna

commit

2 files changed · +6 −8

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 3a7c42f76d894a..121b62f8bb0a28 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -2010,10 +2010,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = -EPERM;
 	if (!capable(CAP_SYS_ADMIN))
-- 
cgit 1.3-korg

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 3a7c42f76d894a..121b62f8bb0a28 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -2010,10 +2010,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = -EPERM;
 	if (!capable(CAP_SYS_ADMIN))
-- 
cgit 1.3-korg

dbe8e81a2ec6

ublk: Validate SQE128 flag before accessing the cmd

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGovindarajulu VaradarajanJan 30, 2026Fixed in 6.12.75via kernel-cna

commit

2 files changed · +6 −8

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 2d46383e8d26b2..c6a59f02944fce 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3026,10 +3026,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 2d46383e8d26b2..c6a59f02944fce 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3026,10 +3026,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

31cac6acf77e

ublk: Validate SQE128 flag before accessing the cmd

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGovindarajulu VaradarajanJan 30, 2026Fixed in 6.6.128via kernel-cna

commit

2 files changed · +6 −8

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 44f630a3f610bd..89c1d6ec7adaa8 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -2908,10 +2908,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 44f630a3f610bd..89c1d6ec7adaa8 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -2908,10 +2908,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

f75a5555e004

ublk: Validate SQE128 flag before accessing the cmd

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGovindarajulu VaradarajanJan 30, 2026Fixed in 6.18.14via kernel-cna

commit

2 files changed · +6 −8

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 56058090d223e7..965460d4fc76ea 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3841,10 +3841,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 56058090d223e7..965460d4fc76ea 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3841,10 +3841,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

17d33ba72911

ublk: Validate SQE128 flag before accessing the cmd

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGovindarajulu VaradarajanJan 30, 2026Fixed in 6.19.4via kernel-cna

commit

2 files changed · +6 −8

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 6000517645e12f..0ce0e537fb8504 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3786,10 +3786,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	    issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 6000517645e12f..0ce0e537fb8504 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3786,10 +3786,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	    issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

da7e4b75e50c

ublk: Validate SQE128 flag before accessing the cmd

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitGovindarajulu VaradarajanJan 30, 2026via nvd-ref

commit

2 files changed · +6 −8

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 5efaf53261cecf..01088194c8d35d 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -5221,10 +5221,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	    issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 5efaf53261cecf..01088194c8d35d 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -5221,10 +5221,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	    issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

dbe8e81a2ec6

ublk: Validate SQE128 flag before accessing the cmd

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitGovindarajulu VaradarajanJan 30, 2026via nvd-ref

commit

2 files changed · +6 −8

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 2d46383e8d26b2..c6a59f02944fce 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3026,10 +3026,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 2d46383e8d26b2..c6a59f02944fce 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3026,10 +3026,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

f75a5555e004

ublk: Validate SQE128 flag before accessing the cmd

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitGovindarajulu VaradarajanJan 30, 2026via nvd-ref

commit

2 files changed · +6 −8

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 56058090d223e7..965460d4fc76ea 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3841,10 +3841,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 56058090d223e7..965460d4fc76ea 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3841,10 +3841,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

17d33ba72911

ublk: Validate SQE128 flag before accessing the cmd

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitGovindarajulu VaradarajanJan 30, 2026via nvd-ref

commit

2 files changed · +6 −8

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 6000517645e12f..0ce0e537fb8504 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3786,10 +3786,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	    issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 6000517645e12f..0ce0e537fb8504 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3786,10 +3786,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	    issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

31cac6acf77e

ublk: Validate SQE128 flag before accessing the cmd

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitGovindarajulu VaradarajanJan 30, 2026via nvd-ref

commit

2 files changed · +6 −8

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 44f630a3f610bd..89c1d6ec7adaa8 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -2908,10 +2908,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 44f630a3f610bd..89c1d6ec7adaa8 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -2908,10 +2908,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
-- 
cgit 1.3-korg

4b4dff498f46

ublk: Validate SQE128 flag before accessing the cmd

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitGovindarajulu VaradarajanJan 30, 2026via nvd-ref

commit

2 files changed · +6 −8

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 3a7c42f76d894a..121b62f8bb0a28 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -2010,10 +2010,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = -EPERM;
 	if (!capable(CAP_SYS_ADMIN))
-- 
cgit 1.3-korg

drivers/block/ublk_drv.c+3 −4 modified

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 3a7c42f76d894a..121b62f8bb0a28 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -2010,10 +2010,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	if (issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = -EPERM;
 	if (!capable(CAP_SYS_ADMIN))
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing SQE128 flag validation before accessing sqe->cmd allows out-of-bounds memory read."

Attack vector

An attacker with `CAP_SYS_ADMIN` can submit an io_uring command to the ublk control device without setting the `IO_URING_F_SQE128` flag. Because the flag check was performed after calling `ublk_ctrl_cmd_dump()`, the kernel reads `(header *)sqe->cmd` from memory beyond the actual submission queue entry. This out-of-bounds read could leak sensitive kernel memory or cause a crash. The attacker needs local access and the `CAP_SYS_ADMIN` capability.

Affected code

The vulnerability is in `ublk_ctrl_uring_cmd()` in `drivers/block/ublk_drv.c`. The function called `ublk_ctrl_cmd_dump(cmd)` before checking the `IO_URING_F_SQE128` flag. The `ublk_ctrl_cmd_dump()` function accesses `(header *)sqe->cmd`, which is only valid when the SQE128 flag is set; without the flag, the `cmd` field is out of bounds.

What the fix does

The patch moves the `IO_URING_F_SQE128` flag check to before the call to `ublk_ctrl_cmd_dump(cmd)`, and changes the failure path from `goto out` to `return -EINVAL`. This ensures the function returns an error immediately if the SQE128 flag is not set, preventing any access to `sqe->cmd` when it is out of bounds. The same logical change is applied across all stable backport variants.

Preconditions

authAttacker must have CAP_SYS_ADMIN capability
inputAttacker must have local access to submit io_uring commands to the ublk control device
inputThe submitted io_uring command must not have the IO_URING_F_SQE128 flag set

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000