{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22998", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.938Z", "datePublished": "2026-01-25T14:36:12.935Z", "dateUpdated": "2026-05-11T21:58:01.694Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:58:01.694Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec\n\nCommit efa56305908b (\"nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\")\nadded ttag bounds checking and data_offset\nvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate\nwhether the command's data structures (cmd->req.sg and cmd->iov) have\nbeen properly initialized before processing H2C_DATA PDUs.\n\nThe nvmet_tcp_build_pdu_iovec() function dereferences these pointers\nwithout NULL checks. This can be triggered by sending H2C_DATA PDU\nimmediately after the ICREQ/ICRESP handshake, before\nsending a CONNECT command or NVMe write command.\n\nAttack vectors that trigger NULL pointer dereferences:\n1. H2C_DATA PDU sent before CONNECT \u2192 both pointers NULL\n2. H2C_DATA PDU for READ command \u2192 cmd->req.sg allocated, cmd->iov NULL\n3. H2C_DATA PDU for uninitialized command slot \u2192 both pointers NULL\n\nThe fix validates both cmd->req.sg and cmd->iov before calling\nnvmet_tcp_build_pdu_iovec(). Both checks are required because:\n- Uninitialized commands: both NULL\n- READ commands: cmd->req.sg allocated, cmd->iov NULL\n- WRITE commands: both allocated"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nvme/target/tcp.c"], "versions": [{"version": "f775f2621c2ac5cc3a0b3a64665dad4fb146e510", "lessThan": "baabe43a0edefac8cd7b981ff87f967f6034dafe", "status": "affected", "versionType": "git"}, {"version": "4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d", "lessThan": "76abc83a9d25593c2b7613c549413079c14a4686", "status": "affected", "versionType": "git"}, {"version": "2871aa407007f6f531fae181ad252486e022df42", "lessThan": "7d75570002929d20e40110d6b03e46202c9d1bc7", "status": "affected", "versionType": "git"}, {"version": "24e05760186dc070d3db190ca61efdbce23afc88", "lessThan": "fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4", "status": "affected", "versionType": "git"}, {"version": "efa56305908ba20de2104f1b8508c6a7401833be", "lessThan": "3def5243150716be86599c2a1767c29c68838b6d", "status": "affected", "versionType": "git"}, {"version": "efa56305908ba20de2104f1b8508c6a7401833be", "lessThan": "374b095e265fa27465f34780e0eb162ff1bef913", "status": "affected", "versionType": "git"}, {"version": "efa56305908ba20de2104f1b8508c6a7401833be", "lessThan": "32b63acd78f577b332d976aa06b56e70d054cbba", "status": "affected", "versionType": "git"}, {"version": "ee5e7632e981673f42a50ade25e71e612e543d9d", "status": "affected", "versionType": "git"}, {"version": "70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nvme/target/tcp.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.67", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.7", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.209", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.148", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.75", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.14", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12.67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.18.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.268"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7.2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe"}, {"url": "https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686"}, {"url": "https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7"}, {"url": "https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4"}, {"url": "https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d"}, {"url": "https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913"}, {"url": "https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba"}], "title": "nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E4BEAC0-E873-440D-A75E-55699C2412A4", "versionEndExcluding": "5.5", "versionStartIncluding": "5.4.268", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6983E9C-F8A9-4494-8156-3E2F7E736BF8", "versionEndExcluding": "5.10.249", "versionStartIncluding": "5.10.209", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0275B58-DF8C-46AE-B9A5-20396D123D12", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.15.148", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DE91ACC-6DAF-42AE-8D41-3A91572E9052", "versionEndExcluding": "6.1.162", "versionStartIncluding": "6.1.75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "68AE0BF9-0835-45D8-AACC-EDFAC1663259", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.6.14", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B14F508-4490-4A35-BEFC-40EF300279E7", "versionEndExcluding": "6.12.67", "versionStartIncluding": "6.7.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "99FF3E05-0E7A-44E9-8E47-BF6F1F8EC436", "versionEndExcluding": "6.18.7", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec\n\nCommit efa56305908b (\"nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\")\nadded ttag bounds checking and data_offset\nvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate\nwhether the command's data structures (cmd->req.sg and cmd->iov) have\nbeen properly initialized before processing H2C_DATA PDUs.\n\nThe nvmet_tcp_build_pdu_iovec() function dereferences these pointers\nwithout NULL checks. This can be triggered by sending H2C_DATA PDU\nimmediately after the ICREQ/ICRESP handshake, before\nsending a CONNECT command or NVMe write command.\n\nAttack vectors that trigger NULL pointer dereferences:\n1. H2C_DATA PDU sent before CONNECT \u2192 both pointers NULL\n2. H2C_DATA PDU for READ command \u2192 cmd->req.sg allocated, cmd->iov NULL\n3. H2C_DATA PDU for uninitialized command slot \u2192 both pointers NULL\n\nThe fix validates both cmd->req.sg and cmd->iov before calling\nnvmet_tcp_build_pdu_iovec(). Both checks are required because:\n- Uninitialized commands: both NULL\n- READ commands: cmd->req.sg allocated, cmd->iov NULL\n- WRITE commands: both allocated"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnvme-tcp: soluciona desreferencias de puntero NULL en nvmet_tcp_build_pdu_iovec\n\nEl commit efa56305908b ('nvmet-tcp: Soluciona un p\u00e1nico del kernel cuando el host env\u00eda una longitud de PDU H2C inv\u00e1lida') a\u00f1adi\u00f3 la comprobaci\u00f3n de l\u00edmites de ttag y la validaci\u00f3n de data_offset en nvmet_tcp_handle_h2c_data_pdu(), pero no valid\u00f3 si las estructuras de datos del comando (cmd->req.sg y cmd->iov) han sido inicializadas correctamente antes de procesar las PDUs H2C_DATA.\n\nLa funci\u00f3n nvmet_tcp_build_pdu_iovec() desreferencia estos punteros sin comprobaciones de NULL. Esto puede ser provocado enviando una PDU H2C_DATA inmediatamente despu\u00e9s del handshake ICREQ/ICRESP, antes de enviar un comando CONNECT o un comando de escritura NVMe.\n\nVectores de ataque que provocan desreferencias de puntero NULL:\n1. PDU H2C_DATA enviada antes de CONNECT ? ambos punteros NULL\n2. PDU H2C_DATA para comando READ ? cmd->req.sg asignado, cmd->iov NULL\n3. PDU H2C_DATA para slot de comando no inicializado ? ambos punteros NULL\n\nLa soluci\u00f3n valida tanto cmd->req.sg como cmd->iov antes de llamar a nvmet_tcp_build_pdu_iovec(). Ambas comprobaciones son necesarias porque:\n- Comandos no inicializados: ambos NULL\n- Comandos READ: cmd->req.sg asignado, cmd->iov NULL\n- Comandos WRITE: ambos asignados"}], "id": "CVE-2026-22998", "lastModified": "2026-04-27T14:16:28.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-25T15:15:54.643", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec", "id": "2432671", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432671"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-22998", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22998\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22998\nhttps://lore.kernel.org/linux-cve-announce/2026012533-CVE-2026-22998-8392@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T02:54:29.780604+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel release that contains the NVMe\u2011TCP NULL pointer check (e.g., upgrade to Linux kernel 6.19 rc6 or subsequent stable version).", "Limit NVMe\u2011TCP exposure by configuring firewall rules or access controls to allow traffic only from trusted hosts.", "Disable or remove the NVMe\u2011TCP feature if it is not required for your environment, using kernel configuration or unloading the nvmet_subsystem module."], "summary": {"action": "Immediate Patch", "impact": "Kernel Crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "Affected systems are all Linux kernel instances that implement NVMe over TCP before the fix was introduced. The kernel CPE list shows that the flaw exists in the 6.19 release candidates (rc1 to rc5) and, by implication, in the corresponding stable releases that incorporate that code path. Any system with the kernel prior to the commit that brought the bounds checking and pointer validation is vulnerable.", "description_and_impact": "The vulnerability is a NULL pointer dereference in the nvmet_tcp_build_pdu_iovec function of the Linux kernel. When an invalid or prematurely sent H2C_DATA PDU is processed, the kernel dereferences uninitialized pointers and can trigger a kernel panic. The impact is a loss of availability; an attacker could force the host to crash and require a reboot.", "risk_and_exploitability": "The CVSS score is 7.5, indicating high severity, while the EPSS score of less than 1% suggests exploitation is currently considered rare. The vulnerability is not listed in the CISA KEV catalog, so no known mass exploitation campaigns have been recorded yet. Attackers could trigger the fault by sending specially crafted H2C_DATA PDUs before establishing a CONNECT handshake or by targeting READ or uninitialized command slots. Because the protocol operates over the network, the attack vector is likely remote, allowing an external host to disrupt the target."}}}}, "created": "2026-04-18T03:00:10.328977+00:00", "updated": "2026-04-18T03:00:10.328986+00:00", "vendors": []}