Description
In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec

nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU
length or offset exceeds sg_cnt and then use bogus sg->length/offset
values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining
entries, and sg->length/offset before building the bvec.
Published: 2026-02-13
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution / kernel privilege escalation
Action: Immediate patch
AI Analysis

Impact

This vulnerability in the Linux kernel's nvmet-tcp subsystem, specifically nvmet_tcp_build_pdu_iovec, allows an attacker to cause the kernel to read beyond a submitted scatter‑gather list when a PDU length or offset exceeds the count of SG entries. The unchecked bounds lead to a kernel‑mode fault and may provide a path to arbitrary memory corruption. Because the components operate in privileged kernel space, exploitation can enable an attacker to elevate privileges or execute arbitrary code with system privileges.

Affected Systems

The flaw is present in the Linux kernel starting with release candidate 6.19 rc1 through rc8, as indicated by the CPE list. The affected vendors are Linux:Linux. Systems running these kernels as part of a NVMe over TCP implementation are exposed. The commit that added proper bounds checks mitigates the issue, but all systems upstream from the bug remain vulnerable until the patch is applied.

Risk and Exploitability

The CVSS score of 9.8 marks the vulnerability as critical, and the EPSS score of less than 1% suggests that, as of the last analysis, exploitation activity is low. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no publicly known exploits yet. The attack is likely network‑based, requiring the attacker to send malformed NVMe commands to a target exposing nvmet-tcp. The high severity mandates immediate action, even though the current exploitation probability remains modest.

Generated by OpenCVE AI on April 15, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the nvmet_tcp_build_pdu_iovec bounds‑check patch (commits 043b4307a99f…).
  • If an immediate kernel update is not possible, disable the nvmet-tcp service or block the NVMe over TCP traffic to prevent the vulnerability from being exercised.
  • Continuously monitor kernel logs for KASAN messages or unexpected panics, and apply any security updates from the vendor as soon as they become available.

Generated by OpenCVE AI on April 15, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4498-1 linux security update
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6141-1 linux security update
Debian DSA Debian DSA DSA-6163-1 linux security update
History

Mon, 04 May 2026 09:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 08:45:00 +0000

Type Values Removed Values Added
References

Thu, 19 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 14 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}

threat_severity

Moderate

Fri, 13 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.
Title nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-04T07:51:15.694Z

Reserved: 2026-01-13T15:37:45.968Z

Link: CVE-2026-23112

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-13T14:16:10.403

Modified: 2026-05-04T09:16:00.390

Link: CVE-2026-23112

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-13T00:00:00Z

Links: CVE-2026-23112 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses