Description
On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID.

An attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A null pointer dereference in the kernel can be triggered by a remote NVMe/TCP client when it sends a CONNECT command for an I/O queue that carries a bogus or stale control identifier. The fault causes the kernel to panic, resulting in an unauthenticated remote denial of service. This weakness is a classic Null Pointer Dereference (CWE‑476).

Affected Systems

The vulnerability applies to systems running FreeBSD that expose an NVMe/TCP target. No specific version range is listed in the advisory, so any FreeBSD installation configured with NVMe/TCP support may be affected until a patch is applied.

Risk and Exploitability

With a CVSS score of 7.5 the risk is considered moderate to high, yet the EPSS score of less than 1 % indicates that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. An attacker merely needs network access to the NVMe/TCP target and can trigger the failure without authentication, making the attack vector network-based and straightforward once the target is reachable.

Generated by OpenCVE AI on March 26, 2026 at 15:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest FreeBSD release or apply the security update that fixes the kernel panic in NVMe/TCP handling.
  • Verify the patch by reviewing the FreeBSD security advisory at https://security.freebsd.org/advisories/FreeBSD-SA-26:07.nvmf.asc.
  • If an immediate update is infeasible, block or restrict NVMe/TCP traffic at the network perimeter to prevent the CONNECT request from reaching the target.

Generated by OpenCVE AI on March 26, 2026 at 15:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Thu, 26 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
Description On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID. An attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine.
Title Remote denial of service via null pointer dereference
Weaknesses CWE-476
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-03-26T13:31:31.356Z

Reserved: 2026-03-23T14:35:04.472Z

Link: CVE-2026-4652

cve-icon Vulnrichment

Updated: 2026-03-26T13:31:18.276Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T07:16:20.540

Modified: 2026-04-30T18:57:58.167

Link: CVE-2026-4652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:52Z

Weaknesses