CVE-2026-52989

Summary

In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers

Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized.

Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator.

Fix this by shifting the error handling responsibility to the callers.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1385be357e8acd09b36e026567f3a9d5c61139de < 3df42a854686fa06484e37ac1a3931c8e3e3453caffected
LinuxLinuxdca1a6ba0da9f472ef040525fab10fd9956db59f < d7c8f95f599b3b38a717d2e771c3f8c174f657c3affected
LinuxLinux19672ae68d52ff75347ebe2420dde1b07adca09f < f9204a2b78dd18374d3bcf9bf93d9021ce22de1baffected
LinuxLinuxab200d71553bdcf4de554a5985b05b2dd606bc57 < c2a11441538bdbbc5aa003f190995eba93a89b88affected
LinuxLinux52a0a98549344ca20ad81a4176d68d28e3c05a5c < 046fa5c72d15cd8e2d592e275697ea399d8f76b0affected
LinuxLinux52a0a98549344ca20ad81a4176d68d28e3c05a5c < ea8e356acb165cb1fd75537a52e1f66e5e76c538affected
LinuxLinux043b4307a99f902697349128fde93b2ddde4686caffected
LinuxLinux42afe8ed8ad2de9c19457156244ef3e1eca94b5daffected
LinuxLinux6.1.163 < 6.1.175affected
LinuxLinux6.6.124 < 6.6.141affected
LinuxLinux6.12.70 < 6.12.91affected
LinuxLinux6.18.10 < 6.18.33affected
LinuxLinux5.10.250 < 5.11affected
LinuxLinux5.15.200 < 5.16affected
LinuxLinux6.19affected
LinuxLinux0 < 6.19unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.141 <= 6.6.*unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.18.33 <= 6.18.*unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

ADP Enrichment

kernel: nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers

Additional References

References