Incorrect Conversion between Numeric Types Affecting kernel-zfcpdump-devel-matched package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RHEL10-KERNELZFCPDUMPDEVELMATCHED-16371766
- published4 May 2026
- disclosed1 May 2026
Introduced: 1 May 2026
NewCVE-2026-31774 (opens in a new tab)How to fix?
There is no fixed version for RHEL:10 kernel-zfcpdump-devel-matched.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-zfcpdump-devel-matched package and not the kernel-zfcpdump-devel-matched package as distributed by RHEL.
See How to fix? for RHEL:10 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()
sqe->len is __u32 but gets stored into sr->len which is int. When userspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF), sr->len overflows to a negative value. This negative value propagates through the bundle recv/send path:
- io_recv(): sel.val = sr->len (ssize_t gets -1)
- io_recv_buf_select(): arg.max_len = sel->val (size_t gets 0xFFFFFFFFFFFFFFFF)
- io_ring_buffers_peek(): buf->len is not clamped because max_len is astronomically large
- iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs()
- io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1, causing ret to increase instead of decrease, creating an infinite loop that reads past the allocated iov[] array
This results in a slab-out-of-bounds read in io_bundle_nbufs() from the kmalloc-64 slab, as nbufs increments past the allocated iovec entries.
BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160 Read of size 8 at addr ffff888100ae05c8 by task exp/145 Call Trace: io_bundle_nbufs+0x128/0x160 io_recv_finish+0x117/0xe20 io_recv+0x2db/0x1160
Fix this by rejecting negative sr->len values early in both io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32, any value > INT_MAX indicates overflow and is not a valid length.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2464417
- https://access.redhat.com/security/cve/CVE-2026-31774
- https://git.kernel.org/stable/c/1b655cd311344117d3052f6552cb20d9901c9d7c
- https://git.kernel.org/stable/c/90ced24c500ad4e129e9e34b7e56fd7849e350b6
- https://git.kernel.org/stable/c/b948f9d5d3057b01188e36664e7c7604d1c8ecb5
- https://git.kernel.org/stable/c/c314b405dcc4d8b9041124f928f81715d6328bec