Description
In the Linux kernel, the following vulnerability has been resolved:

nvme-fc: release admin tagset if init fails

nvme_fabrics creates an NVMe/FC controller in following path:

nvmf_dev_write()
-> nvmf_create_ctrl()
-> nvme_fc_create_ctrl()
-> nvme_fc_init_ctrl()

nvme_fc_init_ctrl() allocates the admin blk-mq resources right after
nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing
the controller state, scheduling connect work, etc.), we jump to the
fail_ctrl path, which tears down the controller references but never
frees the admin queue/tag set. The leaked blk-mq allocations match the
kmemleak report seen during blktests nvme/fc.

Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call
nvme_remove_admin_tag_set() when it is set so that all admin queue
allocations are reclaimed whenever controller setup aborts.
Published: 2026-03-18
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak
Action: Patch
AI Analysis

Impact

The Linux kernel did not deallocate the admin tagset for NVMe/FC controllers when initialization failed. This memory leak accumulates allocated blocks for the admin queue, reducing available kernel memory over time. Persistent failures could exhaust the kernel’s memory budget and cause out‑of‑memory conditions or kernel panics, impacting system availability.

Affected Systems

This flaw resides in the nvme_fabrics path of the Linux kernel, so any kernel that includes the nvme-fc subsystem is potentially affected. No specific kernel version is listed, meaning all releases with this code path should be examined for the contained patch.

Risk and Exploitability

Risk and exploitability are moderate with a CVSS score of 5.5 and an EPSS less than 1%. The vulnerability is not in the CISA KEV catalog. The likely attack vector is exploiting the NVMe/FC controller initialization routine; based on the description it is inferred that an attacker could trigger the failure by sending malformed NVMe/FC requests or by repeatedly creating and destroying controllers with elevated privileges. Repeated failures would lead to cumulative memory leaks, potentially exhausting kernel memory over time.

Generated by OpenCVE AI on March 27, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the CVE-2026-23261 fix
  • If patching is not immediately possible, monitor kernel memory usage for abnormal growth or kernel panic events
  • Limit the frequency of NVMe/FC controller creation and destruction until the operating system is patched

Generated by OpenCVE AI on March 27, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-401

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-401

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Thu, 19 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
References

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 18 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nvme-fc: release admin tagset if init fails nvme_fabrics creates an NVMe/FC controller in following path: nvmf_dev_write() -> nvmf_create_ctrl() -> nvme_fc_create_ctrl() -> nvme_fc_init_ctrl() nvme_fc_init_ctrl() allocates the admin blk-mq resources right after nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing the controller state, scheduling connect work, etc.), we jump to the fail_ctrl path, which tears down the controller references but never frees the admin queue/tag set. The leaked blk-mq allocations match the kmemleak report seen during blktests nvme/fc. Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call nvme_remove_admin_tag_set() when it is set so that all admin queue allocations are reclaimed whenever controller setup aborts.
Title nvme-fc: release admin tagset if init fails
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-03-19T16:01:07.303Z

Reserved: 2026-01-13T15:37:45.990Z

Link: CVE-2026-23261

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:24.623

Modified: 2026-03-19T17:16:22.743

Link: CVE-2026-23261

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23261 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:59Z

Weaknesses