HIGH Published 2026-04-22

io_uring fdinfo OOB

CVE-2026-31484

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI7.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check __io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte SQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second half of the SQE would be past the end of the sq_sqes array. The current check tests (++sq_head & sq_mask) == 0, but sq_head is only incremented when a 128-byte SQE is encountered, not on every iteration. The actual array index is sq_idx = (i + sq_head) & sq_mask, which can be sq_mask (the last slot) while the wrap check passes. Fix by checking sq_idx directly. Keep the sq_head increment so the loop still skips the second half of the 128-byte SQE on the next iteration.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A local attacker can trigger an out-of-bounds read in the kernel when the io_uring fdinfo display processes mixed-size SQE rings. This could potentially leak kernel memory contents or cause system instability. The vulnerability requires local access and the ability to use io_uring, making it primarily a concern for multi-user systems or containers where untrusted code can run.

Affectedio_uring/fdinfo.c

Vulnerability analysis

Root Cause: In __io_uring_show_fdinfo(), the bounds check for detecting when a 128-byte SQE would wrap past the end of the sq_sqes array was incorrect. The code checked (++sq_head & sq_mask) == 0, but sq_head was only incremented when encountering 128-byte SQEs, not on every iteration. This meant the actual array index sq_idx = (i + sq_head) & sq_mask could reach sq_mask (the last valid slot) while the wrap check incorrectly passed, allowing an out-of-bounds read when accessing the second half of a 128-byte SQE.

Attack Surface: This vulnerability affects local processes that can create io_uring instances with IORING_SETUP_SQE_MIXED configuration and trigger fdinfo display (e.g., via /proc/PID/fdinfo/FD). The attack requires local access and the ability to create io_uring rings, but no special privileges beyond normal user access to io_uring.

Fix Mechanism: The patch fixes the bounds check by directly testing sq_idx == sq_mask instead of the flawed (++sq_head & sq_mask) == 0 condition. It moves the sq_head increment outside the condition check to maintain proper loop iteration behavior while ensuring the bounds check accurately reflects the actual array index being accessed.

03Fix Versions

Branch	Fixed in	Patch commit
6.19	6.19.11	`ba21ab247a5b`
mainline	7.0	`5170efd9c344`