CVE-2026-31774

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()<br /> <br /> sqe-&gt;len is __u32 but gets stored into sr-&gt;len which is int. When<br /> userspace passes sqe-&gt;len values exceeding INT_MAX (e.g. 0xFFFFFFFF),<br /> sr-&gt;len overflows to a negative value. This negative value propagates<br /> through the bundle recv/send path:<br /> <br /> 1. io_recv(): sel.val = sr-&gt;len (ssize_t gets -1)<br /> 2. io_recv_buf_select(): arg.max_len = sel-&gt;val (size_t gets<br /> 0xFFFFFFFFFFFFFFFF)<br /> 3. io_ring_buffers_peek(): buf-&gt;len is not clamped because max_len<br /> is astronomically large<br /> 4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs()<br /> 5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1,<br /> causing ret to increase instead of decrease, creating an<br /> infinite loop that reads past the allocated iov[] array<br /> <br /> This results in a slab-out-of-bounds read in io_bundle_nbufs() from<br /> the kmalloc-64 slab, as nbufs increments past the allocated iovec<br /> entries.<br /> <br /> BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160<br /> Read of size 8 at addr ffff888100ae05c8 by task exp/145<br /> Call Trace:<br /> io_bundle_nbufs+0x128/0x160<br /> io_recv_finish+0x117/0xe20<br /> io_recv+0x2db/0x1160<br /> <br /> Fix this by rejecting negative sr-&gt;len values early in both<br /> io_sendmsg_prep() and io_recvmsg_prep(). Since sqe-&gt;len is __u32,<br /> any value &gt; INT_MAX indicates overflow and is not a valid length.