CVE-2026-23179 - Vulnerability Details

- nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()

Description

In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()

When the socket is closed while in TCP_LISTEN a callback is run to
flush all outstanding packets, which in turns calls
nvmet_tcp_listen_data_ready() with the sk_callback_lock held.
So we need to check if we are in TCP_LISTEN before attempting
to get the sk_callback_lock() to avoid a deadlock.

Published: 2026-02-14

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The kernel contains a deadlock condition in the nvmet-tcp subsystem triggered when a socket in the TCP_LISTEN state is closed. During the cleanup callback the code attempts to reacquire the sk_callback_lock, which is already held, leading to a stall of the network stack. The resulting hang can prevent new connections from being accepted and may degrade or crash the kernel, effectively creating a denial‑of‑service scenario for any host relying on NVMe traffic over TCP. The flaw is a concurrency bug that corrupts the lock ordering logic of the network stack.

Affected Systems

Any Linux kernel that has not incorporated the recent patch committing the fix to nvmet_tcp_listen_data_ready. The vulnerability resides in the core kernel code that implements NVMe‑over‑Fabrics over TCP, so it potentially affects all distributions that ship with an unpatched kernel image for that feature.

Risk and Exploitability

The CVSS score of 7.0 places this as a high‑severity issue. Its EPSS rate is under 1 %, indicating that, at the time of analysis, exploitation by attackers is considered unlikely, and the feature is not listed in the CISA KEV catalog. An attacker would need either local or privileged access to trigger the problematic socket closure, or have control over the NVMe over TCP interface to force the state transition. Because the bug results in a deadlock rather than a crash, remediation via an upgrade is recommended rather than attempting runtime mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`675b453e024154dd547921c6e6d5b58747ba7e0e`	affected	< 6e0c7503a5803d568d56a9f9bca662cd94a14908
`675b453e024154dd547921c6e6d5b58747ba7e0e`	affected	< 1c90f930e7b410dd2d75a2a19a85e19c64e98ad5
`675b453e024154dd547921c6e6d5b58747ba7e0e`	affected	< 2fa8961d3a6a1c2395d8d560ffed2c782681bade

Linux

affected

Version	Status	Constraints
`6.7`	affected	—
`0`	unaffected	< 6.7
`6.12.70`	unaffected	≤ 6.12.*
`6.18.10`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

—

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f532b29b0e313f42b964014038b0f52899b240ec)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6e0c7503a5803d568d56a9f9bca662cd94a14908)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1c90f930e7b410dd2d75a2a19a85e19c64e98ad5)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2fa8961d3a6a1c2395d8d560ffed2c782681bade)`	affected	code_commit	—

Linux

Linux Kernel

—

Version	Status	Scheme	Platform
`[6.6.124,6.7.0)`	unaffected	semver	—
`[6.12.70,6.13.0)`	unaffected	semver	—
`[6.18.10,6.19.0)`	unaffected	semver	—
`[6.19,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that includes the nvmet_tcp_listen_data_ready patch
If an immediate kernel update is not possible, restart the affected system or the nvmet‑tcp service once the patch is applied to clear the deadlock state
Update any firmware or drivers that interact with nvme‑over‑fabrics to ensure compatibility with the patched kernel

Generated by OpenCVE AI on April 18, 2026 at 12:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6141-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1c90f930e7b410dd2d75a2a19a85e19c64e98ad5
https://git.kernel.org/stable/c/2fa8961d3a6a1c2395d8d560ffed2c782681bade
https://git.kernel.org/stable/c/6e0c7503a5803d568d56a9f9bca662cd94a14908
https://lore.kernel.org/linux-cve-announce/2026021429-CVE-2026-23179-6ff7@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23179
https://www.cve.org/CVERecord?id=CVE-2026-23179

History

Sat, 18 Apr 2026 12:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-759

Mon, 16 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026021429-CVE-2026-23179-6ff7@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23179 https://www.cve.org/CVERecord?id=CVE-2026-23179
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Mon, 16 Feb 2026 09:30:00 +0000

Type	Values Removed	Values Added
References	https://git.kernel.org/stable/c/f532b29b0e313f42b964014038b0f52899b240ec

Sat, 14 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() When the socket is closed while in TCP_LISTEN a callback is run to flush all outstanding packets, which in turns calls nvmet_tcp_listen_data_ready() with the sk_callback_lock held. So we need to check if we are in TCP_LISTEN before attempting to get the sk_callback_lock() to avoid a deadlock.
Title		nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1c90f930e7b410dd2d75a2a19a85e19c64e98ad5 https://git.kernel.org/stable/c/2fa8961d3a6a1c2395d8d560ffed2c782681bade https://git.kernel.org/stable/c/6e0c7503a5803d568d56a9f9bca662cd94a14908 https://git.kernel.org/stable/c/f532b29b0e313f42b964014038b0f52899b240ec

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-14T16:27:10.778Z

Updated: 2026-02-16T08:58:52.846Z

Reserved: 2026-01-13T15:37:45.984Z

Link: CVE-2026-23179

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-02-14T17:15:55.643

Modified: 2026-04-15T14:34:27.800

Link: CVE-2026-23179

Redhat

Severity : Important

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23179 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T12:30:45Z

Weaknesses

CWE-759

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object