{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23376", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.003Z", "datePublished": "2026-03-25T10:27:56.458Z", "dateUpdated": "2026-03-25T10:27:56.458Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:56.458Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fcloop: Check remoteport port_state before calling done callback\n\nIn nvme_fc_handle_ls_rqst_work, the lsrsp->done callback is only set when\nremoteport->port_state is FC_OBJSTATE_ONLINE. Otherwise, the\nnvme_fc_xmt_ls_rsp's LLDD call to lport->ops->xmt_ls_rsp is expected to\nfail and the nvme-fc transport layer itself will directly call\nnvme_fc_xmt_ls_rsp_free instead of relying on LLDD's done callback to free\nthe lsrsp resources.\n\nUpdate the fcloop_t2h_xmt_ls_rsp routine to check remoteport->port_state.\nIf online, then lsrsp->done callback will free the lsrsp. Else, return\n-ENODEV to signal the nvme-fc transport to handle freeing lsrsp."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nvme/target/fcloop.c"], "versions": [{"version": "10c165af35d225eb033f4edc7fcc699a8d2d533d", "lessThan": "f30b95159a53e72529a9ca1667f11cd1970240a7", "status": "affected", "versionType": "git"}, {"version": "10c165af35d225eb033f4edc7fcc699a8d2d533d", "lessThan": "31d3817bcd9e192b30abe3cf4b68f69d48864dd2", "status": "affected", "versionType": "git"}, {"version": "10c165af35d225eb033f4edc7fcc699a8d2d533d", "lessThan": "dd677d0598387ea623820ab2bd0e029c377445a3", "status": "affected", "versionType": "git"}, {"version": "2cf857075bcc8e83c4aa5fe7d8f1efd6af51e04e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nvme/target/fcloop.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "7.0-rc3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f30b95159a53e72529a9ca1667f11cd1970240a7"}, {"url": "https://git.kernel.org/stable/c/31d3817bcd9e192b30abe3cf4b68f69d48864dd2"}, {"url": "https://git.kernel.org/stable/c/dd677d0598387ea623820ab2bd0e029c377445a3"}], "title": "nvmet-fcloop: Check remoteport port_state before calling done callback", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fcloop: Check remoteport port_state before calling done callback\n\nIn nvme_fc_handle_ls_rqst_work, the lsrsp->done callback is only set when\nremoteport->port_state is FC_OBJSTATE_ONLINE. Otherwise, the\nnvme_fc_xmt_ls_rsp's LLDD call to lport->ops->xmt_ls_rsp is expected to\nfail and the nvme-fc transport layer itself will directly call\nnvme_fc_xmt_ls_rsp_free instead of relying on LLDD's done callback to free\nthe lsrsp resources.\n\nUpdate the fcloop_t2h_xmt_ls_rsp routine to check remoteport->port_state.\nIf online, then lsrsp->done callback will free the lsrsp. Else, return\n-ENODEV to signal the nvme-fc transport to handle freeing lsrsp."}], "id": "CVE-2026-23376", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:37.383", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/31d3817bcd9e192b30abe3cf4b68f69d48864dd2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dd677d0598387ea623820ab2bd0e029c377445a3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f30b95159a53e72529a9ca1667f11cd1970240a7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: nvmet-fcloop: Check remoteport port_state before calling done callback", "id": "2451267", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451267"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-414", "details": ["A flaw was found in the Linux kernel's nvmet-fcloop component. This vulnerability occurs due to incorrect handling of resource freeing when the remote port state is not online. Specifically, the `fcloop_t2h_xmt_ls_rsp` routine fails to check the `remoteport->port_state` before calling a done callback, which can lead to improper resource management. This could potentially result in system instability or resource leaks."], "name": "CVE-2026-23376", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23376\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23376\nhttps://lore.kernel.org/linux-cve-announce/2026032542-CVE-2026-23376-114a@gregkh/T"], "statement": "This flaw affects systems using NVMe over Fibre Channel loopback (fcloop) for testing. The missing port_state check causes incorrect callback handling when the remote port is not online, leading to resource management issues. This is primarily a testing/development driver issue rather than a production deployment concern.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-03-25T11:55:11.013297+00:00", "value": {"mitigation_remediation": ["Apply the kernel update that includes the patch from commit 31d3817bcd9e192b30abe3cf4b68f69d48864dd2 or the referenced fixes;", "Recompile the system with the latest stable kernel that incorporates the corrected logic;", "If an immediate kernel upgrade is not possible, disable the nvme-fc loopback transport or the fcloop module until a patched kernel is available."], "summary": {"action": "Patch Immediately", "impact": "Use\u2011after\u2011free that can crash the kernel or enable arbitrary code execution"}, "threat_synthesis": {"affected_systems": "All Linux kernel configurations that enable the nvme\u2011fc transport, particularly those compiled with the fcloop loopback feature. The vulnerability exists in any kernel release before the commit that introduced the safe\u2011check; references point to kernel commits that fixed the issue. No specific version range is listed, so any kernel older than the patched state is potentially affected.", "description_and_impact": "A flaw in the Linux kernel NVMe\u2011Over\u2011Fibre Channel loopback transport causes the response handler to be freed by a different code path when the remote port is not online. When the callback pointer remains set, the transport will invoke a handler that frees the same memory again, creating a use\u2011after\u2011free or double\u2011free condition. If an attacker can trigger this mismatch, they may cause a kernel crash or, in some configurations, force execution of arbitrary code at kernel level. The weakness is a callback\u2011free logic flaw tied to state validation, matching CWE\u2011416.", "risk_and_exploitability": "CVSS and EPSS metrics are not provided, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the vulnerable NVMe\u2011FC module to be active and a message that forces a remote port into a non\u2011online state. An attacker could exploit this by sending crafted NVMe\u2011FC transport layer requests over a network that reaches the kernel. Given the potential for kernel compromise, the risk can be considered medium to high for environments exposed to untrusted networks, with lower risk if the transport is isolated or disabled."}}}}, "created": "2026-03-25T21:31:39.823173+00:00", "updated": "2026-03-25T21:31:39.823199+00:00", "vendors": [], "weaknesses": ["CWE-416"]}