CVE-2026-23376 - Vulnerability Details

- nvmet-fcloop: Check remoteport port_state before calling done callback

Description

In the Linux kernel, the following vulnerability has been resolved:

nvmet-fcloop: Check remoteport port_state before calling done callback

In nvme_fc_handle_ls_rqst_work, the lsrsp->done callback is only set when
remoteport->port_state is FC_OBJSTATE_ONLINE. Otherwise, the
nvme_fc_xmt_ls_rsp's LLDD call to lport->ops->xmt_ls_rsp is expected to
fail and the nvme-fc transport layer itself will directly call
nvme_fc_xmt_ls_rsp_free instead of relying on LLDD's done callback to free
the lsrsp resources.

Update the fcloop_t2h_xmt_ls_rsp routine to check remoteport->port_state.
If online, then lsrsp->done callback will free the lsrsp. Else, return
-ENODEV to signal the nvme-fc transport to handle freeing lsrsp.

Published: 2026-03-25

Score: 3.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel’s NVMe‑FC loopback implementation, a callback intended to free a response structure is only set when the remote port is online. When the remote port is offline, the structure is freed by an alternate path, which can lead to improper resource cleanup. This improper resource management may cause memory leaks or kernel crashes, threatening system availability.

Affected Systems

The flaw is confined to the Linux kernel’s NVMe‑FC subsystem, specifically the nvmet‑fcloop component. All installations running a kernel version prior to the mitigate commit are vulnerable. The fixed code resides in the NVMe‑FC loopback handling routine and is incorporated into the latest stable kernel releases.

Risk and Exploitability

The CVSS score of 3.3 classifies the issue as moderate severity, while an EPSS score below 1% and absence from CISA’s KEV catalog indicate a low exploitation likelihood. The vulnerability requires interaction with the NVMe‑FC loopback path, which typically implies local privilege or the ability to send crafted NVMe-FC requests, making remote exploitation unlikely. Nonetheless, the potential denial‑of‑service impact warrants timely patching.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`10c165af35d225eb033f4edc7fcc699a8d2d533d`	affected	< f30b95159a53e72529a9ca1667f11cd1970240a7
`10c165af35d225eb033f4edc7fcc699a8d2d533d`	affected	< 31d3817bcd9e192b30abe3cf4b68f69d48864dd2
`10c165af35d225eb033f4edc7fcc699a8d2d533d`	affected	< dd677d0598387ea623820ab2bd0e029c377445a3
`2cf857075bcc8e83c4aa5fe7d8f1efd6af51e04e`	affected	—

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[10c165af35d225eb033f4edc7fcc699a8d2d533d,f30b95159a53e72529a9ca1667f11cd1970240a7)`	affected	code_commit	—
`[10c165af35d225eb033f4edc7fcc699a8d2d533d,31d3817bcd9e192b30abe3cf4b68f69d48864dd2)`	affected	code_commit	—
`[10c165af35d225eb033f4edc7fcc699a8d2d533d,dd677d0598387ea623820ab2bd0e029c377445a3)`	affected	code_commit	—
`2cf857075bcc8e83c4aa5fe7d8f1efd6af51e04e`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	generic	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*)`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify the current kernel version with uname -r
Check your distribution’s repository or vendor site for the latest kernel that includes the nvmet‑fcloop fix
Apply the update and reboot into the new kernel
If an updated kernel is not yet available, consider disabling NVMe‑FC loopback functionality until the patch is released
Monitor vendor advisories for future updates

Generated by OpenCVE AI on March 26, 2026 at 14:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/31d3817bcd9e192b30abe3cf4b68f69d48864dd2
https://git.kernel.org/stable/c/dd677d0598387ea623820ab2bd0e029c377445a3
https://git.kernel.org/stable/c/f30b95159a53e72529a9ca1667f11cd1970240a7
https://lore.kernel.org/linux-cve-announce/2026032542-CVE-2026-23376-114a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23376
https://www.cve.org/CVERecord?id=CVE-2026-23376

History

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-414
References		https://lore.kernel.org/linux-cve-announce/2026032542-CVE-2026-23376-114a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23376 https://www.cve.org/CVERecord?id=CVE-2026-23376
Metrics	threat_severity `None`	cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}` threat_severity `Low`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nvmet-fcloop: Check remoteport port_state before calling done callback In nvme_fc_handle_ls_rqst_work, the lsrsp->done callback is only set when remoteport->port_state is FC_OBJSTATE_ONLINE. Otherwise, the nvme_fc_xmt_ls_rsp's LLDD call to lport->ops->xmt_ls_rsp is expected to fail and the nvme-fc transport layer itself will directly call nvme_fc_xmt_ls_rsp_free instead of relying on LLDD's done callback to free the lsrsp resources. Update the fcloop_t2h_xmt_ls_rsp routine to check remoteport->port_state. If online, then lsrsp->done callback will free the lsrsp. Else, return -ENODEV to signal the nvme-fc transport to handle freeing lsrsp.
Title		nvmet-fcloop: Check remoteport port_state before calling done callback
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/31d3817bcd9e192b30abe3cf4b68f69d48864dd2 https://git.kernel.org/stable/c/dd677d0598387ea623820ab2bd0e029c377445a3 https://git.kernel.org/stable/c/f30b95159a53e72529a9ca1667f11cd1970240a7

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:27:56.458Z

Updated: 2026-04-13T06:06:11.168Z

Reserved: 2026-01-13T15:37:46.003Z

Link: CVE-2026-23376

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:37.383

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23376

Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23376 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:49:04Z

Weaknesses

CWE-414

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object