7 matches found
kernel: io_uring/rsrc: reject zero-length fixed buffer import
A flaw was found in the Linux kernel's iouring subsystem. A local attacker can exploit a vulnerability in the ioimportfixed function by importing a zero-length fixed buffer. This can lead to an out-of-bounds read from slab memory, potentially resulting in information disclosure or a denial of...
CVE-2026-43006
In the Linux kernel, the following vulnerability has been resolved: iouring/rsrc: reject zero-length fixed buffer import validatefixedrange admits bufaddr at the exact end of the registered region when len is zero, because the check uses strict greater-than bufend imu-ubuf + imu-len. ioimportfixe...
EUVD-2026-26605
In the Linux kernel, the following vulnerability has been resolved: iouring/rsrc: reject zero-length fixed buffer import validatefixedrange admits bufaddr at the exact end of the registered region when len is zero, because the check uses strict greater-than bufend imu-ubuf + imu-len. ioimportfixe...
CVE-2026-43006 io_uring/rsrc: reject zero-length fixed buffer import
In the Linux kernel, the following vulnerability has been resolved: iouring/rsrc: reject zero-length fixed buffer import validatefixedrange admits bufaddr at the exact end of the registered region when len is zero, because the check uses strict greater-than bufend imu-ubuf + imu-len. ioimportfixe...
CVE-2026-43006
In the Linux kernel, the following vulnerability has been resolved: iouring/rsrc: reject zero-length fixed buffer import validatefixedrange admits bufaddr at the exact end of the registered region when len is zero, because the check uses strict greater-than bufend imu-ubuf + imu-len. ioimportfixe...
CVE-2026-43006
CVE-2026-43006 (Linux kernel io_uring rsr/rsrc): A zero-length fixed-buffer import in io_import_fixed() could trigger a slab-out-of-bounds read due to a boundary check that allows len == 0 to be processed. The underlying issue is in validate_fixed_range(), which permits buf_addr at the end of the...
PT-2026-36423
In the Linux kernel, the following vulnerability has been resolved: io uring/rsrc: reject zero-length fixed buffer import validate fixed range admits buf addr at the exact end of the registered region when len is zero, because the check uses strict greater-than buf end imu-ubuf + imu-len. io impo...