CVE-2026-23112

Summary

In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec

nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 0b9981751be14b59b4473383c731c833738aebdbaffected
LinuxLinux872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 42afe8ed8ad2de9c19457156244ef3e1eca94b5daffected
LinuxLinux872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 1385be357e8acd09b36e026567f3a9d5c61139deaffected
LinuxLinux872d26a391da92ed8f0c0f5cb5fef428067b7f30 < dca1a6ba0da9f472ef040525fab10fd9956db59faffected
LinuxLinux872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 19672ae68d52ff75347ebe2420dde1b07adca09faffected
LinuxLinux872d26a391da92ed8f0c0f5cb5fef428067b7f30 < ab200d71553bdcf4de554a5985b05b2dd606bc57affected
LinuxLinux872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 52a0a98549344ca20ad81a4176d68d28e3c05a5caffected
LinuxLinux5.0affected
LinuxLinux0 < 5.0unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.200 <= 5.15.*unaffected
LinuxLinux6.1.163 <= 6.1.*unaffected
LinuxLinux6.6.124 <= 6.6.*unaffected
LinuxLinux6.12.70 <= 6.12.*unaffected
LinuxLinux6.18.10 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

ADP Enrichment

Additional References

References