Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Race condition in Linux kernel io_uring/kbuf legacy buffer recycling

IdentifiersCVE-2026-43366CWE-362

CVE-2026-43366 is a Linux kernel flaw in the io_uring/kbuf buffer recycling path. The bug exists in the gap between when a buffer is obtained and when it is later recycled: if the target buffer list becomes empty during that window, another operation can upgrade that list from a legacy provided-buffer list to a ring-provided buffer type before recycle occurs. This race is reachable when a request is forced through io-wq. The vulnerable legacy recycle logic did not verify that the target buffer_list still existed or that it was still the expected legacy type before reusing it. The fix adds validation to ensure the buffer list is still present and still legacy before recycling the buffer.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to corruption of io_uring buffer management state in kernel context, with potential high impact to confidentiality, integrity, and availability. Available scoring in the provided content indicates local exploitation with low privileges and no user interaction, and the resulting effects may include kernel memory corruption, denial of service, or potentially further compromise depending on runtime conditions.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting untrusted local users' ability to create and use io_uring workloads, especially configurations that can force requests through io-wq and exercise provided-buffer recycling paths. Minimize access to affected systems by low-privilege local accounts and container tenants sharing the host kernel. These are only temporary risk-reduction measures; the definitive mitigation is to deploy a fixed kernel.

Remediation

Patch, then assume compromise.

Apply a Linux kernel update that includes the io_uring/kbuf fix for CVE-2026-43366. The remediation is the upstream change that adds checks during legacy buffer recycling to confirm that the target buffer list still exists and remains of the legacy type before recycle proceeds. Vendor guidance in the provided content indicates installing the relevant SUSE kernel security updates via YaST or zypper and rebooting after patching.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

5 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-43366
NVD
nvd.nist.gov/vuln/detail/CVE-2026-43366
MITRE CWE · CWE-362
cwe.mitre.org
Patch
git.kernel.org/stable/c/439a6728ec4641ffad1ca796622c19bc525e570f
Patch
git.kernel.org/stable/c/50ad880db3013c6fee0ef13781762a39e2e7ef83
Patch
git.kernel.org/stable/c/97b57f69fee1b61b41acbf37e7720cac9d389fa4
Patch
git.kernel.org/stable/c/a7b33671e418fca507feebd1d56e7f4952a4b25c
Patch
git.kernel.org/stable/c/c2c185be5c85d37215397c8e8781abf0a69bec1f
Patch
git.kernel.org/stable/c/f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa