io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()

Summary

CVE	CVE-2026-31774
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-01 15:16:40 UTC
Updated	2026-05-03 07:16:20 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs() sqe->len is __u32 but gets stored into sr->len which is int. When userspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF), sr->len overflows to a negative value. This negative value propagates through the bundle recv/send path: 1. io_recv(): sel.val = sr->len (ssize_t gets -1) 2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets 0xFFFFFFFFFFFFFFFF) 3. io_ring_buffers_peek(): buf->len is not clamped because max_len is astronomically large 4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs() 5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1, causing ret to increase instead of decrease, creating an infinite loop that reads past the allocated iov[] array This results in a slab-out-of-bounds read in io_bundle_nbufs() from the kmalloc-64 slab, as nbufs increments past the allocated iovec entries. BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160 Read of size 8 at addr ffff888100ae05c8 by task exp/145 Call Trace: io_bundle_nbufs+0x128/0x160 io_recv_finish+0x117/0xe20 io_recv+0x2db/0x1160 Fix this by rejecting negative sr->len values early in both io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32, any value > INT_MAX indicates overflow and is not a valid length.

Risk And Classification

Primary CVSS: v3.1 7.1 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS: 0.000180000 probability, percentile 0.046600000 (date 2026-05-02)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H`
3.1	CNA	DECLARED	7.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H`

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected a05d1f625c7aa681d8816bc0f10089289ad07aad 90ced24c500ad4e129e9e34b7e56fd7849e350b6 git	Not specified
CNA	Linux	Linux	affected a05d1f625c7aa681d8816bc0f10089289ad07aad c314b405dcc4d8b9041124f928f81715d6328bec git	Not specified
CNA	Linux	Linux	affected a05d1f625c7aa681d8816bc0f10089289ad07aad 1b655cd311344117d3052f6552cb20d9901c9d7c git	Not specified
CNA	Linux	Linux	affected a05d1f625c7aa681d8816bc0f10089289ad07aad b948f9d5d3057b01188e36664e7c7604d1c8ecb5 git	Not specified
CNA	Linux	Linux	affected 6.10	Not specified
CNA	Linux	Linux	unaffected 6.10 semver	Not specified
CNA	Linux	Linux	unaffected 6.12.81 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.22 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.12 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/b948f9d5d3057b01188e36664e7c7604d1c8ecb5	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/1b655cd311344117d3052f6552cb20d9901c9d7c	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c314b405dcc4d8b9041124f928f81715d6328bec	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/90ced24c500ad4e129e9e34b7e56fd7849e350b6	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.