{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "8622b20f23ed165f48b8ca61503a107d17f8d585"
            },
            {
              "fixed": "040a1e7e0e2f01851fec1dd2d96906f8636a9f75"
            },
            {
              "fixed": "40170fc1a79c1b2e68f09ae6aac687b7305ae6f4"
            },
            {
              "fixed": "111a12b422a8cfa93deabaef26fec48237163214"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.15.0"
            },
            {
              "fixed": "6.18.22"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43006.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rsrc: reject zero-length fixed buffer import\n\nvalidate_fixed_range() admits buf_addr at the exact end of the\nregistered region when len is zero, because the check uses strict\ngreater-than (buf_end \u003e imu-\u003eubuf + imu-\u003elen).  io_import_fixed()\nthen computes offset == imu-\u003elen, which causes the bvec skip logic\nto advance past the last bio_vec entry and read bv_offset from\nout-of-bounds slab memory.\n\nReturn early from io_import_fixed() when len is zero.  A zero-length\nimport has no data to transfer and should not walk the bvec array\nat all.\n\n  BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0\n  Read of size 4 at addr ffff888002bcc254 by task poc/103\n  Call Trace:\n   io_import_reg_buf+0x697/0x7f0\n   io_write_fixed+0xd9/0x250\n   __io_issue_sqe+0xad/0x710\n   io_issue_sqe+0x7d/0x1100\n   io_submit_sqes+0x86a/0x23c0\n   __do_sys_io_uring_enter+0xa98/0x1590\n  Allocated by task 103:\n  The buggy address is located 12 bytes to the right of\n   allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)",
  "id": "CVE-2026-43006",
  "modified": "2026-07-08T05:38:26.080373960Z",
  "published": "2026-05-01T14:15:14.176Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/040a1e7e0e2f01851fec1dd2d96906f8636a9f75"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/111a12b422a8cfa93deabaef26fec48237163214"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/40170fc1a79c1b2e68f09ae6aac687b7305ae6f4"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43006.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43006"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "io_uring/rsrc: reject zero-length fixed buffer import"
}