Description
In the Linux kernel, the following vulnerability has been resolved:

nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference

There is a race condition in nvmet_bio_done() that can cause a NULL
pointer dereference in blk_cgroup_bio_start():

1. nvmet_bio_done() is called when a bio completes
2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req)
3. The queue_response callback can re-queue and re-submit the same request
4. The re-submission reuses the same inline_bio from nvmet_req
5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)
invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL
6. The re-submitted bio enters submit_bio_noacct_nocheck()
7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash:

BUG: kernel NULL pointer dereference, address: 0000000000000028
#PF: supervisor read access in kernel mode
RIP: 0010:blk_cgroup_bio_start+0x10/0xd0
Call Trace:
submit_bio_noacct_nocheck+0x44/0x250
nvmet_bdev_execute_rw+0x254/0x370 [nvmet]
process_one_work+0x193/0x3c0
worker_thread+0x281/0x3a0

Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()
BEFORE nvmet_req_complete(). This ensures the bio is cleaned up before
the request can be re-submitted, preventing the race condition.
Published: 2026-02-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel crash leading to denial of service
Action: Apply patch
AI Analysis

Impact

A race condition exists in the nvmet module of the Linux kernel where the nvmet_bio_done() function can be executed after a request has been re‑queued, leading to a NULL pointer dereference in blk_cgroup_bio_start(). This vulnerability triggers a kernel panic and system crash, disrupting availability. The weakness is a NULL pointer dereference (CWE‑476) and does not directly enable code execution but can be exploited to cause denial of service if an attacker can influence NVMe target requests.

Affected Systems

Affected kernel releases include Linux 6.16 from release candidate 5 through 7 and Linux 6.19 from release candidate 1 through 7. Any kernel built from these branches that has not incorporated the nvmet_bio_done reordering fix remains vulnerable. Earlier nightly builds and the generic kernel before the patch are also affected.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and the EPSS score of less than 1% suggests a very low probability of real‑world exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need local or privileged access to manipulate NVMe traffic that targets the system’s NVMe over Fabrics subsystem. Because the flaw leads to a crash rather than code execution, the probable impact is denial of service rather than privilege escalation.

Generated by OpenCVE AI on April 16, 2026 at 06:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the nvmet_bio_done reordering patch (e.g., kernel 6.16 or newer stable releases).
  • If a kernel update is not immediately available, consider disabling the nvmet (NVMe over Fabrics) driver until the patch is applied.
  • If disabling the driver is not feasible, restrict NVMe target traffic by firewall rules or network segmentation to limit the attack surface until the kernel is upgraded.

Generated by OpenCVE AI on April 16, 2026 at 06:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 17 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 17 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sat, 14 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference There is a race condition in nvmet_bio_done() that can cause a NULL pointer dereference in blk_cgroup_bio_start(): 1. nvmet_bio_done() is called when a bio completes 2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req) 3. The queue_response callback can re-queue and re-submit the same request 4. The re-submission reuses the same inline_bio from nvmet_req 5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete) invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL 6. The re-submitted bio enters submit_bio_noacct_nocheck() 7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash: BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode RIP: 0010:blk_cgroup_bio_start+0x10/0xd0 Call Trace: submit_bio_noacct_nocheck+0x44/0x250 nvmet_bdev_execute_rw+0x254/0x370 [nvmet] process_one_work+0x193/0x3c0 worker_thread+0x281/0x3a0 Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put() BEFORE nvmet_req_complete(). This ensures the bio is cleaned up before the request can be re-submitted, preventing the race condition.
Title nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T13:32:05.957Z

Reserved: 2026-01-13T15:37:45.975Z

Link: CVE-2026-23148

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-14T16:15:54.913

Modified: 2026-04-03T14:16:24.630

Link: CVE-2026-23148

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23148 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:00:10Z

Weaknesses