CVE-2026-43366

There's a gap between when the buffer was grabbed and when it potentially gets recycled, where if the list is empty, someone could've upgraded it to a ring provided type. This can happen if the request is forced via io-wq. The legacy recycling is missing checking if the buffer_list still exists, and if it's of the correct type. Add those checks.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43366.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c7fb19428d67dd0a2a78a4f237af01d39c78dc5a

Fixed

a7b33671e418fca507feebd1d56e7f4952a4b25c

Fixed

439a6728ec4641ffad1ca796622c19bc525e570f

Fixed

f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa

Fixed

50ad880db3013c6fee0ef13781762a39e2e7ef83

Fixed

97b57f69fee1b61b41acbf37e7720cac9d389fa4

Fixed

c2c185be5c85d37215397c8e8781abf0a69bec1f

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43366.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.19.0

Fixed

6.1.167

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.130

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.78

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.19

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43366.json"