CVE-2026-22998 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated

PUBLISHED Reserved 2026-01-13 | Published 2026-01-25 | Updated 2026-02-09 | Assigner Linux

Product status

Default status

unaffected

f775f2621c2ac5cc3a0b3a64665dad4fb146e510 (git) before baabe43a0edefac8cd7b981ff87f967f6034dafe

affected

4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d (git) before 76abc83a9d25593c2b7613c549413079c14a4686

affected

2871aa407007f6f531fae181ad252486e022df42 (git) before 7d75570002929d20e40110d6b03e46202c9d1bc7

affected

24e05760186dc070d3db190ca61efdbce23afc88 (git) before fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4

affected

efa56305908ba20de2104f1b8508c6a7401833be (git) before 3def5243150716be86599c2a1767c29c68838b6d

affected

efa56305908ba20de2104f1b8508c6a7401833be (git) before 374b095e265fa27465f34780e0eb162ff1bef913

affected

efa56305908ba20de2104f1b8508c6a7401833be (git) before 32b63acd78f577b332d976aa06b56e70d054cbba

affected

ee5e7632e981673f42a50ade25e71e612e543d9d (git)

affected

70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68 (git)

affected

Default status

affected

6.8

affected

Any version before 6.8

unaffected

5.10.249 (semver)

unaffected

5.15.199 (semver)

unaffected

6.1.162 (semver)

unaffected

6.6.122 (semver)

unaffected

6.12.67 (semver)

unaffected

6.18.7 (semver)

unaffected

6.19 (original_commit_for_fix)

unaffected

References

git.kernel.org/...c/baabe43a0edefac8cd7b981ff87f967f6034dafe

git.kernel.org/...c/76abc83a9d25593c2b7613c549413079c14a4686

git.kernel.org/...c/7d75570002929d20e40110d6b03e46202c9d1bc7

git.kernel.org/...c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4

git.kernel.org/...c/3def5243150716be86599c2a1767c29c68838b6d

git.kernel.org/...c/374b095e265fa27465f34780e0eb162ff1bef913

git.kernel.org/...c/32b63acd78f577b332d976aa06b56e70d054cbba

cve.org (CVE-2026-22998)

nvd.nist.gov (CVE-2026-22998)

Download JSON

help @ threatint.eu