CVE-2026-43006

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/rsrc: reject zero-length fixed buffer import<br /> <br /> validate_fixed_range() admits buf_addr at the exact end of the<br /> registered region when len is zero, because the check uses strict<br /> greater-than (buf_end &gt; imu-&gt;ubuf + imu-&gt;len). io_import_fixed()<br /> then computes offset == imu-&gt;len, which causes the bvec skip logic<br /> to advance past the last bio_vec entry and read bv_offset from<br /> out-of-bounds slab memory.<br /> <br /> Return early from io_import_fixed() when len is zero. A zero-length<br /> import has no data to transfer and should not walk the bvec array<br /> at all.<br /> <br /> BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0<br /> Read of size 4 at addr ffff888002bcc254 by task poc/103<br /> Call Trace:<br /> io_import_reg_buf+0x697/0x7f0<br /> io_write_fixed+0xd9/0x250<br /> __io_issue_sqe+0xad/0x710<br /> io_issue_sqe+0x7d/0x1100<br /> io_submit_sqes+0x86a/0x23c0<br /> __do_sys_io_uring_enter+0xa98/0x1590<br /> Allocated by task 103:<br /> The buggy address is located 12 bytes to the right of<br /> allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)