| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026012533-CVE-2026-22998-8392@gregkh>
Date: Sun, 25 Jan 2026 15:36:34 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2026-22998: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
added ttag bounds checking and data_offset
validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
whether the command's data structures (cmd->req.sg and cmd->iov) have
been properly initialized before processing H2C_DATA PDUs.
The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
without NULL checks. This can be triggered by sending H2C_DATA PDU
immediately after the ICREQ/ICRESP handshake, before
sending a CONNECT command or NVMe write command.
Attack vectors that trigger NULL pointer dereferences:
1. H2C_DATA PDU sent before CONNECT → both pointers NULL
2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
3. H2C_DATA PDU for uninitialized command slot → both pointers NULL
The fix validates both cmd->req.sg and cmd->iov before calling
nvmet_tcp_build_pdu_iovec(). Both checks are required because:
- Uninitialized commands: both NULL
- READ commands: cmd->req.sg allocated, cmd->iov NULL
- WRITE commands: both allocated
The Linux kernel CVE team has assigned CVE-2026-22998 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.8 with commit efa56305908ba20de2104f1b8508c6a7401833be and fixed in 6.12.67 with commit 3def5243150716be86599c2a1767c29c68838b6d
Issue introduced in 6.8 with commit efa56305908ba20de2104f1b8508c6a7401833be and fixed in 6.18.7 with commit 374b095e265fa27465f34780e0eb162ff1bef913
Issue introduced in 6.8 with commit efa56305908ba20de2104f1b8508c6a7401833be and fixed in 6.19-rc6 with commit 32b63acd78f577b332d976aa06b56e70d054cbba
Issue introduced in 5.4.268 with commit ee5e7632e981673f42a50ade25e71e612e543d9d
Issue introduced in 5.10.209 with commit f775f2621c2ac5cc3a0b3a64665dad4fb146e510
Issue introduced in 5.15.148 with commit 4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d
Issue introduced in 6.1.75 with commit 2871aa407007f6f531fae181ad252486e022df42
Issue introduced in 6.6.14 with commit 24e05760186dc070d3db190ca61efdbce23afc88
Issue introduced in 6.7.2 with commit 70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2026-22998
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/nvme/target/tcp.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d
https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913
https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba
Powered by blists - more mailing lists