{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23112", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.968Z", "datePublished": "2026-02-13T13:29:56.724Z", "dateUpdated": "2026-02-13T13:29:56.724Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-02-13T13:29:56.724Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec\n\nnvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU\nlength or offset exceeds sg_cnt and then use bogus sg->length/offset\nvalues, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining\nentries, and sg->length/offset before building the bvec."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nvme/target/tcp.c"], "versions": [{"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "043b4307a99f902697349128fde93b2ddde4686c", "status": "affected", "versionType": "git"}, {"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "42afe8ed8ad2de9c19457156244ef3e1eca94b5d", "status": "affected", "versionType": "git"}, {"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "1385be357e8acd09b36e026567f3a9d5c61139de", "status": "affected", "versionType": "git"}, {"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "dca1a6ba0da9f472ef040525fab10fd9956db59f", "status": "affected", "versionType": "git"}, {"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "19672ae68d52ff75347ebe2420dde1b07adca09f", "status": "affected", "versionType": "git"}, {"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "ab200d71553bdcf4de554a5985b05b2dd606bc57", "status": "affected", "versionType": "git"}, {"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "52a0a98549344ca20ad81a4176d68d28e3c05a5c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nvme/target/tcp.c"], "versions": [{"version": "5.0", "status": "affected"}, {"version": "0", "lessThan": "5.0", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.250", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.200", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.163", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.124", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.10.250"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.15.200"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.1.163"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.6.124"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/043b4307a99f902697349128fde93b2ddde4686c"}, {"url": "https://git.kernel.org/stable/c/42afe8ed8ad2de9c19457156244ef3e1eca94b5d"}, {"url": "https://git.kernel.org/stable/c/1385be357e8acd09b36e026567f3a9d5c61139de"}, {"url": "https://git.kernel.org/stable/c/dca1a6ba0da9f472ef040525fab10fd9956db59f"}, {"url": "https://git.kernel.org/stable/c/19672ae68d52ff75347ebe2420dde1b07adca09f"}, {"url": "https://git.kernel.org/stable/c/ab200d71553bdcf4de554a5985b05b2dd606bc57"}, {"url": "https://git.kernel.org/stable/c/52a0a98549344ca20ad81a4176d68d28e3c05a5c"}], "title": "nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec\n\nnvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU\nlength or offset exceeds sg_cnt and then use bogus sg->length/offset\nvalues, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining\nentries, and sg->length/offset before building the bvec."}], "id": "CVE-2026-23112", "lastModified": "2026-02-13T14:23:48.007", "metrics": {}, "published": "2026-02-13T14:16:10.403", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/043b4307a99f902697349128fde93b2ddde4686c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1385be357e8acd09b36e026567f3a9d5c61139de"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/19672ae68d52ff75347ebe2420dde1b07adca09f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/42afe8ed8ad2de9c19457156244ef3e1eca94b5d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/52a0a98549344ca20ad81a4176d68d28e3c05a5c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ab200d71553bdcf4de554a5985b05b2dd606bc57"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dca1a6ba0da9f472ef040525fab10fd9956db59f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec", "id": "2439683", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439683"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.6", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module nvmet-tcp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2026-23112", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23112\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23112\nhttps://lore.kernel.org/linux-cve-announce/2026021302-CVE-2026-23112-6499@gregkh/T"], "statement": "An out of bounds access in the NVMe TCP target can occur in nvmet_tcp_build_pdu_iovec when a crafted PDU length or data offset causes sg_idx to exceed cmd req sg_cnt or causes iteration past the remaining scatterlist entries. This can make the code use bogus sg length and offset values and then crash in _copy_to_iter with a general protection fault or a KASAN report. For the CVSS the PR is N in the paranoid scenario because an attacker only needs network reachability to the NVMe TCP target listener and does not need local credentials on the victim. The issue is network reachable in environments that expose NVMe over TCP to initiators (usually in local networks or by VPN, so for the CVSS keeping AV:A). Impact is a reliable denial of service via kernel crash. In a conservative assessment memory corruption patterns may also be considered for potential confidentiality or integrity impact.", "threat_severity": "Moderate"}

{"created": "2026-02-13T21:28:37.904734+00:00", "updated": "2026-02-13T21:28:37.904881+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}