FKIE_CVE-2026-22998

Vulnerability from fkie_nvd - Published: 2026-01-25 15:15 - Updated: 2026-03-18 16:26
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbbaPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6dPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2E4BEAC0-E873-440D-A75E-55699C2412A4",
              "versionEndExcluding": "5.5",
              "versionStartIncluding": "5.4.268",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B6983E9C-F8A9-4494-8156-3E2F7E736BF8",
              "versionEndExcluding": "5.10.249",
              "versionStartIncluding": "5.10.209",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0275B58-DF8C-46AE-B9A5-20396D123D12",
              "versionEndExcluding": "5.15.199",
              "versionStartIncluding": "5.15.148",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9DE91ACC-6DAF-42AE-8D41-3A91572E9052",
              "versionEndExcluding": "6.1.162",
              "versionStartIncluding": "6.1.75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "68AE0BF9-0835-45D8-AACC-EDFAC1663259",
              "versionEndExcluding": "6.6.122",
              "versionStartIncluding": "6.6.14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B14F508-4490-4A35-BEFC-40EF300279E7",
              "versionEndExcluding": "6.12.67",
              "versionStartIncluding": "6.7.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "99FF3E05-0E7A-44E9-8E47-BF6F1F8EC436",
              "versionEndExcluding": "6.18.7",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec\n\nCommit efa56305908b (\"nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\")\nadded ttag bounds checking and data_offset\nvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate\nwhether the command\u0027s data structures (cmd-\u003ereq.sg and cmd-\u003eiov) have\nbeen properly initialized before processing H2C_DATA PDUs.\n\nThe nvmet_tcp_build_pdu_iovec() function dereferences these pointers\nwithout NULL checks. This can be triggered by sending H2C_DATA PDU\nimmediately after the ICREQ/ICRESP handshake, before\nsending a CONNECT command or NVMe write command.\n\nAttack vectors that trigger NULL pointer dereferences:\n1. H2C_DATA PDU sent before CONNECT \u2192 both pointers NULL\n2. H2C_DATA PDU for READ command \u2192 cmd-\u003ereq.sg allocated, cmd-\u003eiov NULL\n3. H2C_DATA PDU for uninitialized command slot \u2192 both pointers NULL\n\nThe fix validates both cmd-\u003ereq.sg and cmd-\u003eiov before calling\nnvmet_tcp_build_pdu_iovec(). Both checks are required because:\n- Uninitialized commands: both NULL\n- READ commands: cmd-\u003ereq.sg allocated, cmd-\u003eiov NULL\n- WRITE commands: both allocated"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnvme-tcp: soluciona desreferencias de puntero NULL en nvmet_tcp_build_pdu_iovec\n\nEl commit efa56305908b (\u0027nvmet-tcp: Soluciona un p\u00e1nico del kernel cuando el host env\u00eda una longitud de PDU H2C inv\u00e1lida\u0027) a\u00f1adi\u00f3 la comprobaci\u00f3n de l\u00edmites de ttag y la validaci\u00f3n de data_offset en nvmet_tcp_handle_h2c_data_pdu(), pero no valid\u00f3 si las estructuras de datos del comando (cmd-\u0026gt;req.sg y cmd-\u0026gt;iov) han sido inicializadas correctamente antes de procesar las PDUs H2C_DATA.\n\nLa funci\u00f3n nvmet_tcp_build_pdu_iovec() desreferencia estos punteros sin comprobaciones de NULL. Esto puede ser provocado enviando una PDU H2C_DATA inmediatamente despu\u00e9s del handshake ICREQ/ICRESP, antes de enviar un comando CONNECT o un comando de escritura NVMe.\n\nVectores de ataque que provocan desreferencias de puntero NULL:\n1. PDU H2C_DATA enviada antes de CONNECT ? ambos punteros NULL\n2. PDU H2C_DATA para comando READ ? cmd-\u0026gt;req.sg asignado, cmd-\u0026gt;iov NULL\n3. PDU H2C_DATA para slot de comando no inicializado ? ambos punteros NULL\n\nLa soluci\u00f3n valida tanto cmd-\u0026gt;req.sg como cmd-\u0026gt;iov antes de llamar a nvmet_tcp_build_pdu_iovec(). Ambas comprobaciones son necesarias porque:\n- Comandos no inicializados: ambos NULL\n- Comandos READ: cmd-\u0026gt;req.sg asignado, cmd-\u0026gt;iov NULL\n- Comandos WRITE: ambos asignados"
    }
  ],
  "id": "CVE-2026-22998",
  "lastModified": "2026-03-18T16:26:20.723",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-25T15:15:54.643",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.