CVE-2026-43442

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops<br /> <br /> When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY,<br /> the boundary check for 128-byte SQE operations in io_init_req()<br /> validated the logical SQ head position rather than the physical SQE<br /> index.<br /> <br /> The existing check:<br /> <br /> !(ctx-&gt;cached_sq_head &amp; (ctx-&gt;sq_entries - 1))<br /> <br /> ensures the logical position isn&amp;#39;t at the end of the ring, which is<br /> correct for NO_SQARRAY rings where physical == logical. However, when<br /> sq_array is present, an unprivileged user can remap any logical<br /> position to an arbitrary physical index via sq_array. Setting<br /> sq_array[N] = sq_entries - 1 places a 128-byte operation at the last<br /> physical SQE slot, causing the 128-byte memcpy in<br /> io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE<br /> array.<br /> <br /> Replace the cached_sq_head alignment check with a direct validation<br /> of the physical SQE index, which correctly handles both sq_array and<br /> NO_SQARRAY cases.