CVE-2026-31774
Published: 01 May 2026
Summary
CVE-2026-31774 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied sqe->len values in io_uring to reject oversized inputs exceeding INT_MAX, preventing integer overflow and subsequent slab-out-of-bounds read.
Mandates timely remediation of the specific kernel flaw via patching io_sendmsg_prep() and io_recvmsg_prep() to block negative sr->len values, eliminating the vulnerability root cause.
Implements memory protection techniques such as KASAN or page protections to detect and mitigate slab-out-of-bounds reads in io_bundle_nbufs() even if invalid inputs propagate.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB kernel memory read directly enables credential access via exploitation (T1212); integer overflow/infinite loop enables system DoS via application/system exploitation (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs() sqe->len is __u32 but gets stored into sr->len which is int. When userspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF), sr->len overflows to a…
more
negative value. This negative value propagates through the bundle recv/send path: 1. io_recv(): sel.val = sr->len (ssize_t gets -1) 2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets 0xFFFFFFFFFFFFFFFF) 3. io_ring_buffers_peek(): buf->len is not clamped because max_len is astronomically large 4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs() 5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1, causing ret to increase instead of decrease, creating an infinite loop that reads past the allocated iov[] array This results in a slab-out-of-bounds read in io_bundle_nbufs() from the kmalloc-64 slab, as nbufs increments past the allocated iovec entries. BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160 Read of size 8 at addr ffff888100ae05c8 by task exp/145 Call Trace: io_bundle_nbufs+0x128/0x160 io_recv_finish+0x117/0xe20 io_recv+0x2db/0x1160 Fix this by rejecting negative sr->len values early in both io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32, any value > INT_MAX indicates overflow and is not a valid length.
Deeper analysisAI
CVE-2026-31774 is a slab-out-of-bounds read vulnerability in the Linux kernel's io_uring/net subsystem, specifically within the io_bundle_nbufs() function. The issue arises because the sqe->len field, defined as a __u32, is stored into sr->len, which is an int. When userspace provides a sqe->len value exceeding INT_MAX, such as 0xFFFFFFFF, sr->len overflows to a negative value. This negative length propagates through the recv/send path, causing io_recv() to set sel.val to -1 (as ssize_t), io_recv_buf_select() to interpret max_len as 0xFFFFFFFFFFFFFFFF (as size_t), and ultimately leading to an unclamped buf->len in io_ring_buffers_peek(). In io_bundle_nbufs(), this results in min_t(int, 0xFFFFFFFF, ret) yielding -1, which increments nbufs instead of decrementing it, creating an infinite loop that reads past the allocated iovec array from the kmalloc-64 slab.
A local attacker with low privileges can exploit this vulnerability by submitting a malicious io_uring submission queue entry (SQE) with an oversized sqe->len value during bundled recv or send operations. This triggers the integer overflow and infinite loop, resulting in a slab-out-of-bounds read. According to the CVSS v3.1 score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H), exploitation enables high-impact confidentiality violations through out-of-bounds memory access and high availability disruption via kernel crash or denial of service.
The provided kernel patch references detail the mitigation, which involves rejecting negative sr->len values early in both io_sendmsg_prep() and io_recvmsg_prep() functions. Since sqe->len is a __u32, values greater than INT_MAX are treated as invalid overflows and are blocked upfront, preventing the negative length from propagating through the io_uring net paths. These fixes are available in stable kernel commits at the referenced git.kernel.org URLs.
Details
- CWE(s)