{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23112", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.968Z", "datePublished": "2026-02-13T13:29:56.724Z", "dateUpdated": "2026-05-11T22:00:21.299Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:00:21.299Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec\n\nnvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU\nlength or offset exceeds sg_cnt and then use bogus sg->length/offset\nvalues, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining\nentries, and sg->length/offset before building the bvec."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nvme/target/tcp.c"], "versions": [{"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "0b9981751be14b59b4473383c731c833738aebdb", "status": "affected", "versionType": "git"}, {"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "42afe8ed8ad2de9c19457156244ef3e1eca94b5d", "status": "affected", "versionType": "git"}, {"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "1385be357e8acd09b36e026567f3a9d5c61139de", "status": "affected", "versionType": "git"}, {"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "dca1a6ba0da9f472ef040525fab10fd9956db59f", "status": "affected", "versionType": "git"}, {"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "19672ae68d52ff75347ebe2420dde1b07adca09f", "status": "affected", "versionType": "git"}, {"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "ab200d71553bdcf4de554a5985b05b2dd606bc57", "status": "affected", "versionType": "git"}, {"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "lessThan": "52a0a98549344ca20ad81a4176d68d28e3c05a5c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nvme/target/tcp.c"], "versions": [{"version": "5.0", "status": "affected"}, {"version": "0", "lessThan": "5.0", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.200", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.163", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.124", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.15.200"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.1.163"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.6.124"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0b9981751be14b59b4473383c731c833738aebdb"}, {"url": "https://git.kernel.org/stable/c/42afe8ed8ad2de9c19457156244ef3e1eca94b5d"}, {"url": "https://git.kernel.org/stable/c/1385be357e8acd09b36e026567f3a9d5c61139de"}, {"url": "https://git.kernel.org/stable/c/dca1a6ba0da9f472ef040525fab10fd9956db59f"}, {"url": "https://git.kernel.org/stable/c/19672ae68d52ff75347ebe2420dde1b07adca09f"}, {"url": "https://git.kernel.org/stable/c/ab200d71553bdcf4de554a5985b05b2dd606bc57"}, {"url": "https://git.kernel.org/stable/c/52a0a98549344ca20ad81a4176d68d28e3c05a5c"}], "title": "nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3FE195C-31F6-4C73-A636-498693B92336", "versionEndExcluding": "5.10.250", "versionStartIncluding": "5.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D16F6370-B70F-471C-8363-3A17B0BB1DA9", "versionEndExcluding": "5.15.200", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9C856E1-4308-4C0B-A973-7DD375DF66C4", "versionEndExcluding": "6.1.163", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "76183B9F-CABE-4E21-A3E3-F0EBF99DC3C7", "versionEndExcluding": "6.6.124", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3791390-0628-4808-99EF-1ED8ABF60933", "versionEndExcluding": "6.12.70", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7156C23F-009E-4D05-838C-A2DA417B5B8D", "versionEndExcluding": "6.18.10", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec\n\nnvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU\nlength or offset exceeds sg_cnt and then use bogus sg->length/offset\nvalues, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining\nentries, and sg->length/offset before building the bvec."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnvmet-tcp: a\u00f1adir comprobaciones de l\u00edmites en nvmet_tcp_build_pdu_iovec\n\nnvmet_tcp_build_pdu_iovec() podr\u00eda exceder cmd->req.sg cuando una longitud o desplazamiento de PDU excede sg_cnt y luego usar valores sg->length/offset err\u00f3neos, lo que lleva a _copy_to_iter() GPF/KASAN. Proteger sg_idx, las entradas restantes y sg->length/offset antes de construir el bvec."}], "id": "CVE-2026-23112", "lastModified": "2026-05-04T09:16:00.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-13T14:16:10.403", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0b9981751be14b59b4473383c731c833738aebdb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1385be357e8acd09b36e026567f3a9d5c61139de"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/19672ae68d52ff75347ebe2420dde1b07adca09f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/42afe8ed8ad2de9c19457156244ef3e1eca94b5d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/52a0a98549344ca20ad81a4176d68d28e3c05a5c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ab200d71553bdcf4de554a5985b05b2dd606bc57"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dca1a6ba0da9f472ef040525fab10fd9956db59f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec", "id": "2439683", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439683"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.6", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module nvmet-tcp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2026-23112", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23112\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23112\nhttps://lore.kernel.org/linux-cve-announce/2026021302-CVE-2026-23112-6499@gregkh/T"], "statement": "An out of bounds access in the NVMe TCP target can occur in nvmet_tcp_build_pdu_iovec when a crafted PDU length or data offset causes sg_idx to exceed cmd req sg_cnt or causes iteration past the remaining scatterlist entries. This can make the code use bogus sg length and offset values and then crash in _copy_to_iter with a general protection fault or a KASAN report. For the CVSS the PR is N in the paranoid scenario because an attacker only needs network reachability to the NVMe TCP target listener and does not need local credentials on the victim. The issue is network reachable in environments that expose NVMe over TCP to initiators (usually in local networks or by VPN, so for the CVSS keeping AV:A). Impact is a reliable denial of service via kernel crash. In a conservative assessment memory corruption patterns may also be considered for potential confidentiality or integrity impact.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[872d26a391da92ed8f0c0f5cb5fef428067b7f30,043b4307a99f902697349128fde93b2ddde4686c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[872d26a391da92ed8f0c0f5cb5fef428067b7f30,42afe8ed8ad2de9c19457156244ef3e1eca94b5d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[872d26a391da92ed8f0c0f5cb5fef428067b7f30,1385be357e8acd09b36e026567f3a9d5c61139de)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[872d26a391da92ed8f0c0f5cb5fef428067b7f30,dca1a6ba0da9f472ef040525fab10fd9956db59f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[872d26a391da92ed8f0c0f5cb5fef428067b7f30,19672ae68d52ff75347ebe2420dde1b07adca09f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[872d26a391da92ed8f0c0f5cb5fef428067b7f30,ab200d71553bdcf4de554a5985b05b2dd606bc57)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[872d26a391da92ed8f0c0f5cb5fef428067b7f30,52a0a98549344ca20ad81a4176d68d28e3c05a5c)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.250,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.200,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.163,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.124,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.70,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.10,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-15T20:43:49.097153+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the nvmet_tcp_build_pdu_iovec bounds\u2011check patch (commits 043b4307a99f\u2026).", "If an immediate kernel update is not possible, disable the nvmet-tcp service or block the NVMe over TCP traffic to prevent the vulnerability from being exercised.", "Continuously monitor kernel logs for KASAN messages or unexpected panics, and apply any security updates from the vendor as soon as they become available."], "summary": {"action": "Immediate patch", "impact": "Remote code execution / kernel privilege escalation"}, "threat_synthesis": {"affected_systems": "The flaw is present in the Linux kernel starting with release candidate 6.19 rc1 through rc8, as indicated by the CPE list. The affected vendors are Linux:Linux. Systems running these kernels as part of a NVMe over TCP implementation are exposed. The commit that added proper bounds checks mitigates the issue, but all systems upstream from the bug remain vulnerable until the patch is applied.", "description_and_impact": "This vulnerability in the Linux kernel's nvmet-tcp subsystem, specifically nvmet_tcp_build_pdu_iovec, allows an attacker to cause the kernel to read beyond a submitted scatter\u2011gather list when a PDU length or offset exceeds the count of SG entries. The unchecked bounds lead to a kernel\u2011mode fault and may provide a path to arbitrary memory corruption. Because the components operate in privileged kernel space, exploitation can enable an attacker to elevate privileges or execute arbitrary code with system privileges.", "risk_and_exploitability": "The CVSS score of 9.8 marks the vulnerability as critical, and the EPSS score of less than 1% suggests that, as of the last analysis, exploitation activity is low. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no publicly known exploits yet. The attack is likely network\u2011based, requiring the attacker to send malformed NVMe commands to a target exposing nvmet-tcp. The high severity mandates immediate action, even though the current exploitation probability remains modest."}}}}, "created": "2026-02-13T21:28:37.904734+00:00", "updated": "2026-04-15T20:45:06.390409+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}