io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-31484
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-04-22 14:16:45 UTC
Updated2026-04-22 14:16:45 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check __io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte SQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second half of the SQE would be past the end of the sq_sqes array. The current check tests (++sq_head & sq_mask) == 0, but sq_head is only incremented when a 128-byte SQE is encountered, not on every iteration. The actual array index is sq_idx = (i + sq_head) & sq_mask, which can be sq_mask (the last slot) while the wrap check passes. Fix by checking sq_idx directly. Keep the sq_head increment so the loop still skips the second half of the 128-byte SQE on the next iteration.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 1cba30bf9fdd6c982708f3587f609a30c370d889 ba21ab247a5be5382da7464b95afbe5f0e9aa503 git Not specified
CNA Linux Linux affected 1cba30bf9fdd6c982708f3587f609a30c370d889 5170efd9c344c68a8075dcb8ed38d3f8a60e7ed4 git Not specified
CNA Linux Linux affected 6.19 Not specified
CNA Linux Linux unaffected 6.19 semver Not specified
CNA Linux Linux unaffected 6.19.11 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/ba21ab247a5be5382da7464b95afbe5f0e9aa503 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/5170efd9c344c68a8075dcb8ed38d3f8a60e7ed4 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report