CVE-2026-52989
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized.
Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator.
Fix this by shifting the error handling responsibility to the callers.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 1385be357e8acd09b36e026567f3a9d5c61139de < 3df42a854686fa06484e37ac1a3931c8e3e3453c | affected |
| Linux | Linux | dca1a6ba0da9f472ef040525fab10fd9956db59f < d7c8f95f599b3b38a717d2e771c3f8c174f657c3 | affected |
| Linux | Linux | 19672ae68d52ff75347ebe2420dde1b07adca09f < f9204a2b78dd18374d3bcf9bf93d9021ce22de1b | affected |
| Linux | Linux | ab200d71553bdcf4de554a5985b05b2dd606bc57 < c2a11441538bdbbc5aa003f190995eba93a89b88 | affected |
| Linux | Linux | 52a0a98549344ca20ad81a4176d68d28e3c05a5c < 046fa5c72d15cd8e2d592e275697ea399d8f76b0 | affected |
| Linux | Linux | 52a0a98549344ca20ad81a4176d68d28e3c05a5c < ea8e356acb165cb1fd75537a52e1f66e5e76c538 | affected |
| Linux | Linux | 043b4307a99f902697349128fde93b2ddde4686c | affected |
| Linux | Linux | 42afe8ed8ad2de9c19457156244ef3e1eca94b5d | affected |
| Linux | Linux | 6.1.163 < 6.1.175 | affected |
| Linux | Linux | 6.6.124 < 6.6.141 | affected |
| Linux | Linux | 6.12.70 < 6.12.91 | affected |
| Linux | Linux | 6.18.10 < 6.18.33 | affected |
| Linux | Linux | 5.10.250 < 5.11 | affected |
| Linux | Linux | 5.15.200 < 5.16 | affected |
| Linux | Linux | 6.19 | affected |
| Linux | Linux | 0 < 6.19 | unaffected |
| Linux | Linux | 6.1.175 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.141 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.91 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.33 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.10 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
ADP Enrichment
kernel: nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
Additional References
- https://access.redhat.com/security/cve/CVE-2026-52989
- https://bugzilla.redhat.com/show_bug.cgi?id=2492443
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52989.json
References
- https://git.kernel.org/stable/c/3df42a854686fa06484e37ac1a3931c8e3e3453c
- https://git.kernel.org/stable/c/d7c8f95f599b3b38a717d2e771c3f8c174f657c3
- https://git.kernel.org/stable/c/f9204a2b78dd18374d3bcf9bf93d9021ce22de1b
- https://git.kernel.org/stable/c/c2a11441538bdbbc5aa003f190995eba93a89b88
- https://git.kernel.org/stable/c/046fa5c72d15cd8e2d592e275697ea399d8f76b0
- https://git.kernel.org/stable/c/ea8e356acb165cb1fd75537a52e1f66e5e76c538
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.