CVE-2026-43366

Summary

In the Linux kernel, the following vulnerability has been resolved:

io_uring/kbuf: check if target buffer list is still legacy on recycle

There's a gap between when the buffer was grabbed and when it potentially gets recycled, where if the list is empty, someone could've upgraded it to a ring provided type. This can happen if the request is forced via io-wq. The legacy recycling is missing checking if the buffer_list still exists, and if it's of the correct type. Add those checks.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxc7fb19428d67dd0a2a78a4f237af01d39c78dc5a < a7b33671e418fca507feebd1d56e7f4952a4b25caffected
LinuxLinuxc7fb19428d67dd0a2a78a4f237af01d39c78dc5a < 439a6728ec4641ffad1ca796622c19bc525e570faffected
LinuxLinuxc7fb19428d67dd0a2a78a4f237af01d39c78dc5a < f3fb54e7a8b4aadcc2836ee463eec8c88709b8aaaffected
LinuxLinuxc7fb19428d67dd0a2a78a4f237af01d39c78dc5a < 50ad880db3013c6fee0ef13781762a39e2e7ef83affected
LinuxLinuxc7fb19428d67dd0a2a78a4f237af01d39c78dc5a < 97b57f69fee1b61b41acbf37e7720cac9d389fa4affected
LinuxLinuxc7fb19428d67dd0a2a78a4f237af01d39c78dc5a < c2c185be5c85d37215397c8e8781abf0a69bec1faffected
LinuxLinux5.19affected
LinuxLinux0 < 5.19unaffected
LinuxLinux6.1.167 <= 6.1.*unaffected
LinuxLinux6.6.130 <= 6.6.*unaffected
LinuxLinux6.12.78 <= 6.12.*unaffected
LinuxLinux6.18.19 <= 6.18.*unaffected
LinuxLinux6.19.9 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References