{"id":"CVE-2026-43366","summary":"io_uring/kbuf: check if target buffer list is still legacy on recycle","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: check if target buffer list is still legacy on recycle\n\nThere's a gap between when the buffer was grabbed and when it\npotentially gets recycled, where if the list is empty, someone could've\nupgraded it to a ring provided type. This can happen if the request\nis forced via io-wq. The legacy recycling is missing checking if the\nbuffer_list still exists, and if it's of the correct type. Add those\nchecks.","modified":"2026-06-04T09:14:15.801914451Z","published":"2026-05-08T14:21:19.191Z","related":["SUSE-SU-2026:21841-1","SUSE-SU-2026:21845-1","SUSE-SU-2026:21860-1","SUSE-SU-2026:21876-1","SUSE-SU-2026:21877-1","SUSE-SU-2026:21916-1","SUSE-SU-2026:21919-1","SUSE-SU-2026:2195-1","SUSE-SU-2026:2217-1","SUSE-SU-2026:2238-1","openSUSE-SU-2026:20826-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43366.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/439a6728ec4641ffad1ca796622c19bc525e570f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/50ad880db3013c6fee0ef13781762a39e2e7ef83"},{"type":"WEB","url":"https://git.kernel.org/stable/c/97b57f69fee1b61b41acbf37e7720cac9d389fa4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a7b33671e418fca507feebd1d56e7f4952a4b25c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c2c185be5c85d37215397c8e8781abf0a69bec1f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43366.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43366"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c7fb19428d67dd0a2a78a4f237af01d39c78dc5a"},{"fixed":"a7b33671e418fca507feebd1d56e7f4952a4b25c"},{"fixed":"439a6728ec4641ffad1ca796622c19bc525e570f"},{"fixed":"f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa"},{"fixed":"50ad880db3013c6fee0ef13781762a39e2e7ef83"},{"fixed":"97b57f69fee1b61b41acbf37e7720cac9d389fa4"},{"fixed":"c2c185be5c85d37215397c8e8781abf0a69bec1f"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43366.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.19.0"},{"fixed":"6.1.167"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.130"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.19"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43366.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}