GHSA-M4W6-2G7F-9J5P
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized.
Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator.
Fix this by shifting the error handling responsibility to the callers.
{
"affected": [],
"aliases": [
"CVE-2026-52989"
],
"database_specific": {
"cwe_ids": [
"CWE-390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:09Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers\n\nCurrently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds\nPDU length or offset, it triggers nvmet_tcp_fatal_error(cmd-\u003equeue)\nand returns early. However, because the function returns void, the\ncallers are entirely unaware that a fatal error has occurred and\nthat the cmd-\u003erecv_msg.msg_iter was left uninitialized.\n\nCallers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly\noverwrite the queue state with queue-\u003ercv_state = NVMET_TCP_RECV_DATA\nConsequently, the socket receiving loop may attempt to read incoming\nnetwork data into the uninitialized iterator.\n\nFix this by shifting the error handling responsibility to the callers.",
"id": "GHSA-m4w6-2g7f-9j5p",
"modified": "2026-06-30T03:37:12Z",
"published": "2026-06-24T18:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52989"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-52989"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492443"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/046fa5c72d15cd8e2d592e275697ea399d8f76b0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3df42a854686fa06484e37ac1a3931c8e3e3453c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c2a11441538bdbbc5aa003f190995eba93a89b88"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d7c8f95f599b3b38a717d2e771c3f8c174f657c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea8e356acb165cb1fd75537a52e1f66e5e76c538"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f9204a2b78dd18374d3bcf9bf93d9021ce22de1b"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52989.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.