CVE-2026-43006

High

Published: 01 May 2026

Published

01 May 2026

Modified

03 May 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0001 2.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43006 is a high-severity an unspecified weakness vulnerability in Kernel (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through application of the kernel patch rejecting zero-length fixed buffer imports directly eliminates the out-of-bounds read vulnerability in io_uring.

SI-10 Information Input Validation good match

prevent

Information input validation of io_uring SQE buffer addresses and lengths prevents admission of invalid zero-length fixed buffers that trigger out-of-bounds slab access.

SI-11 Error Handling partial match

prevent

Proper error handling in io_import_fixed ensures early return on zero-length imports, avoiding bvec array traversal and subsequent out-of-bounds memory reads.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability directly enables a local attacker to trigger a kernel crash (slab OOB read) via crafted io_uring SQE, matching Endpoint Denial of Service via Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: reject zero-length fixed buffer import validate_fixed_range() admits buf_addr at the exact end of the registered region when len is zero, because the check uses strict greater-than (buf_end > imu->ubuf…

+ imu->len). io_import_fixed() then computes offset == imu->len, which causes the bvec skip logic to advance past the last bio_vec entry and read bv_offset from out-of-bounds slab memory. Return early from io_import_fixed() when len is zero. A zero-length import has no data to transfer and should not walk the bvec array at all. BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0 Read of size 4 at addr ffff888002bcc254 by task poc/103 Call Trace: io_import_reg_buf+0x697/0x7f0 io_write_fixed+0xd9/0x250 __io_issue_sqe+0xad/0x710 io_issue_sqe+0x7d/0x1100 io_submit_sqes+0x86a/0x23c0 __do_sys_io_uring_enter+0xa98/0x1590 Allocated by task 103: The buggy address is located 12 bytes to the right of allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)

Deeper analysisAI

CVE-2026-43006 is a slab-out-of-bounds read vulnerability in the Linux kernel's io_uring subsystem, specifically in the handling of fixed buffer imports. The issue arises in validate_fixed_range(), which permits a buffer address at the exact end of a registered region when the length is zero due to a strict greater-than check. This leads io_import_fixed() to compute an offset equal to the registered buffer length, causing the bio_vec skip logic to advance past the last entry and read the bv_offset from out-of-bounds slab memory in io_import_reg_buf().

A local attacker with low privileges can exploit this vulnerability by submitting a specially crafted io_uring submission queue entry (SQE) via the io_uring_enter syscall, as demonstrated in the KASAN trace involving io_write_fixed() and __io_issue_sqe(). Successful exploitation results in a slab-out-of-bounds read of size 4, yielding high confidentiality impact through potential information disclosure and high availability impact via kernel crash or denial of service. The CVSS v3.1 base score is 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H), indicating low attack complexity with no user interaction required.

Mitigation is provided through kernel patches available in stable trees, including commits such as 040a1e7e0e2f01851fec1dd2d96906f8636a9f75, 111a12b422a8cfa93deabaef26fec48237163214, and 40170fc1a79c1b2e68f09ae6aac687b7305ae6f4. These patches reject zero-length fixed buffer imports by returning early from io_import_fixed() when the length is zero, preventing bvec array traversal and out-of-bounds access entirely, as zero-length imports transfer no data.

Details

CWE(s): None listed

Affected Products

Kernel

—

inferred from references and description; NVD did not file a CPE for this CVE

References

https://git.kernel.org/stable/c/040a1e7e0e2f01851fec1dd2d96906f8636a9f75
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/111a12b422a8cfa93deabaef26fec48237163214
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/40170fc1a79c1b2e68f09ae6aac687b7305ae6f4
416baaa9-dc9f-4396-8d5f-8c081fb06d67