Linux Kernel io_uring Slab-Out-Of-Bounds Read Vulnerability

A slab-out-of-bounds read vulnerability has been identified in the Linux kernel's io_uring component, specifically within the networking subsystem. This issue arises because the length field (sqe->len) is treated as an unsigned 32-bit value but is stored as a signed integer. When userspace sends length values greater than INT_MAX, the signed integer overflows, resulting in a negative value. This negative length propagates through the io_uring bundle receive and send processes, ultimately leading to an infinite loop that reads beyond the allocated memory for I/O vector entries. The vulnerability has been assigned CVE-2026-31774.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds read, where the read operation exceeds the boundaries of allocated memory, potentially leading to information disclosure or memory corruption.

Reproduction

To reproduce this vulnerability, send an io_uring submission queue entry (SQE) with a length value that exceeds INT_MAX. This can be done by using an unsigned 32-bit value, such as 0xFFFFFFFF, which will cause the length to overflow when interpreted as a signed integer. Once the negative length value is propagated through the io_uring bundle processing functions, it will create an infinite loop that reads past the allocated I/O vector memory, triggering the slab-out-of-bounds read.

Remediation

The vulnerability has been fixed by adding checks to reject negative length values in the io_uring send and receive message preparation functions. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.