{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "1cba30bf9fdd6c982708f3587f609a30c370d889"
            },
            {
              "fixed": "1f794f9bed3e5cf7250a3b4daf112a72ed1513e9"
            },
            {
              "fixed": "6f02c6b196036dbb6defb4647d8707d29b7fe95b"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43442.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops\n\nWhen IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY,\nthe boundary check for 128-byte SQE operations in io_init_req()\nvalidated the logical SQ head position rather than the physical SQE\nindex.\n\nThe existing check:\n\n  !(ctx-\u003ecached_sq_head \u0026 (ctx-\u003esq_entries - 1))\n\nensures the logical position isn't at the end of the ring, which is\ncorrect for NO_SQARRAY rings where physical == logical. However, when\nsq_array is present, an unprivileged user can remap any logical\nposition to an arbitrary physical index via sq_array. Setting\nsq_array[N] = sq_entries - 1 places a 128-byte operation at the last\nphysical SQE slot, causing the 128-byte memcpy in\nio_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE\narray.\n\nReplace the cached_sq_head alignment check with a direct validation\nof the physical SQE index, which correctly handles both sq_array and\nNO_SQARRAY cases.",
  "id": "CVE-2026-43442",
  "modified": "2026-07-15T01:49:06.475060497Z",
  "published": "2026-05-08T14:22:10.656Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f794f9bed3e5cf7250a3b4daf112a72ed1513e9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f02c6b196036dbb6defb4647d8707d29b7fe95b"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43442.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43442"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops"
}