CVE-2026-43006

In the Linux kernel, the following vulnerability has been resolved:

io_uring/rsrc: reject zero-length fixed buffer import

validatefixedrange() admits bufaddr at the exact end of the registered region when len is zero, because the check uses strict greater-than (bufend > imu->ubuf + imu->len). ioimportfixed() then computes offset == imu->len, which causes the bvec skip logic to advance past the last biovec entry and read bvoffset from out-of-bounds slab memory.

Return early from ioimportfixed() when len is zero. A zero-length import has no data to transfer and should not walk the bvec array at all.

BUG: KASAN: slab-out-of-bounds in ioimportregbuf+0x697/0x7f0 Read of size 4 at addr ffff888002bcc254 by task poc/103 Call Trace: ioimportregbuf+0x697/0x7f0 iowritefixed+0xd9/0x250 __ioissuesqe+0xad/0x710 ioissuesqe+0x7d/0x1100 iosubmitsqes+0x86a/0x23c0 __dosysiouringenter+0xa98/0x1590 Allocated by task 103: The buggy address is located 12 bytes to the right of allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)