Description
In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers

Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds
PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue)
and returns early. However, because the function returns void, the
callers are entirely unaware that a fatal error has occurred and
that the cmd->recv_msg.msg_iter was left uninitialized.

Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly
overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA
Consequently, the socket receiving loop may attempt to read incoming
network data into the uninitialized iterator.

Fix this by shifting the error handling responsibility to the callers.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s nvmet‑tcp subsystem. A helper function that sets up a PDU iterator returns void and silently discards errors when it detects an out‑of‑bounds PDU length or offset. Because callers are unaware of the failure, they overwrite the command’s state and later use an uninitialized iterator to read network data. Based on the description, the improper error handling and use of uninitialized memory could allow an attacker who can inject crafted network packets to corrupt kernel memory, potentially leading to execution of arbitrary code with kernel privileges. This inference is not explicitly stated in the CVE data but follows from the described mechanics and the identified weaknesses (CWE‑665, CWE‑682, CWE‑390).

Affected Systems

The affected component is the Linux kernel, specifically the nvmet‑tcp implementation. The CVE does not list a specific version range, so the flaw applies to any kernel that includes the vulnerable code path before the patch is applied. The vendor is Linux and the product is the Linux kernel; no other vendors are affected according to the CNA data.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and the EPSS score is less than 1 %, implying a low probability of exploitation at the time of this analysis. The vulnerability can be triggered over the network by sending malformed nvmet‑tcp PDUs to a host that exposes the service. The potential for kernel memory corruption and the inferred possibility of arbitrary code execution give the flaw a high risk profile. The flaw is not listed in the CISA KEV catalog. The likely attack vector is network‑based, requiring access to the nvmet‑tcp port from an untrusted host.

Generated by OpenCVE AI on June 28, 2026 at 13:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that contains the nvmet‑tcp error‑handling fix; consult your distribution’s security advisories for the appropriate package version.
  • If an immediate kernel upgrade is not possible, disable the nvmet‑tcp protocol or bind it to trusted network interfaces so that untrusted hosts cannot send PDU data.
  • Configure network filtering or firewall rules to block or restrict access to the nvmet‑tcp port from external or potentially malicious hosts.

Generated by OpenCVE AI on June 28, 2026 at 13:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-682

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-390
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-682

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized. Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator. Fix this by shifting the error handling responsibility to the callers.
Title nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:45:33.468Z

Reserved: 2026-06-09T07:44:35.376Z

Link: CVE-2026-52989

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52989 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:15:16Z

Weaknesses
  • CWE-390

    Detection of Error Condition Without Action