CVE-2026-22998
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs.
The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command.
Attack vectors that trigger NULL pointer dereferences:
- H2C_DATA PDU sent before CONNECT → both pointers NULL
- H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
- H2C_DATA PDU for uninitialized command slot → both pointers NULL
The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because:
- Uninitialized commands: both NULL
- READ commands: cmd->req.sg allocated, cmd->iov NULL
- WRITE commands: both allocated
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | f775f2621c2ac5cc3a0b3a64665dad4fb146e510 < baabe43a0edefac8cd7b981ff87f967f6034dafe | affected |
| Linux | Linux | 4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d < 76abc83a9d25593c2b7613c549413079c14a4686 | affected |
| Linux | Linux | 2871aa407007f6f531fae181ad252486e022df42 < 7d75570002929d20e40110d6b03e46202c9d1bc7 | affected |
| Linux | Linux | 24e05760186dc070d3db190ca61efdbce23afc88 < fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4 | affected |
| Linux | Linux | efa56305908ba20de2104f1b8508c6a7401833be < 3def5243150716be86599c2a1767c29c68838b6d | affected |
| Linux | Linux | efa56305908ba20de2104f1b8508c6a7401833be < 374b095e265fa27465f34780e0eb162ff1bef913 | affected |
| Linux | Linux | efa56305908ba20de2104f1b8508c6a7401833be < 32b63acd78f577b332d976aa06b56e70d054cbba | affected |
| Linux | Linux | ee5e7632e981673f42a50ade25e71e612e543d9d | affected |
| Linux | Linux | 70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68 | affected |
| Linux | Linux | 5.10.209 < 5.10.249 | affected |
| Linux | Linux | 5.15.148 < 5.15.199 | affected |
| Linux | Linux | 6.1.75 < 6.1.162 | affected |
| Linux | Linux | 6.6.14 < 6.6.122 | affected |
| Linux | Linux | 5.4.268 < 5.5 | affected |
| Linux | Linux | 6.7.2 < 6.8 | affected |
| Linux | Linux | 6.8 | affected |
| Linux | Linux | 0 < 6.8 | unaffected |
| Linux | Linux | 5.10.249 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.199 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.162 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.122 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.67 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.7 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe
- https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686
- https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7
- https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4
- https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d
- https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913
- https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.