{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23148", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.975Z", "datePublished": "2026-02-14T16:01:17.575Z", "dateUpdated": "2026-05-11T22:01:08.366Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:01:08.366Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference\n\nThere is a race condition in nvmet_bio_done() that can cause a NULL\npointer dereference in blk_cgroup_bio_start():\n\n1. nvmet_bio_done() is called when a bio completes\n2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req)\n3. The queue_response callback can re-queue and re-submit the same request\n4. The re-submission reuses the same inline_bio from nvmet_req\n5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)\n invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL\n6. The re-submitted bio enters submit_bio_noacct_nocheck()\n7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n RIP: 0010:blk_cgroup_bio_start+0x10/0xd0\n Call Trace:\n submit_bio_noacct_nocheck+0x44/0x250\n nvmet_bdev_execute_rw+0x254/0x370 [nvmet]\n process_one_work+0x193/0x3c0\n worker_thread+0x281/0x3a0\n\nFix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()\nBEFORE nvmet_req_complete(). This ensures the bio is cleaned up before\nthe request can be re-submitted, preventing the race condition."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nvme/target/io-cmd-bdev.c"], "versions": [{"version": "431e58d56fcb5ff1f9eb630724a922e0d2a941df", "lessThan": "ee10b06980acca1d46e0fa36d6fb4a9578eab6e4", "status": "affected", "versionType": "git"}, {"version": "190f4c2c863af7cc5bb354b70e0805f06419c038", "lessThan": "68207ceefd71cc74ce4e983fa9bd10c3122e349b", "status": "affected", "versionType": "git"}, {"version": "190f4c2c863af7cc5bb354b70e0805f06419c038", "lessThan": "0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e", "status": "affected", "versionType": "git"}, {"version": "2e2028fcf924d1c6df017033c8d6e28b735a0508", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nvme/target/io-cmd-bdev.c"], "versions": [{"version": "6.16", "status": "affected"}, {"version": "0", "lessThan": "6.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.69", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.9", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.37", "versionEndExcluding": "6.12.69"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15.6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ee10b06980acca1d46e0fa36d6fb4a9578eab6e4"}, {"url": "https://git.kernel.org/stable/c/68207ceefd71cc74ce4e983fa9bd10c3122e349b"}, {"url": "https://git.kernel.org/stable/c/0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e"}], "title": "nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FFABC310-8043-45B8-9F6C-094B74C9CA4C", "versionEndExcluding": "6.12.69", "versionStartIncluding": "6.12.37", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BEF58D78-987C-49EA-8F22-0EF0F89F0A2E", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A28A864A-0812-4D37-96BC-20142FCA21ED", "versionEndExcluding": "6.18.9", "versionStartIncluding": "6.16.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*", "matchCriteriaId": "6238B17D-C12B-458F-A138-97039BFC4595", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*", "matchCriteriaId": "85421F4E-C863-4ABF-B4B4-E887CC2F7F92", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*", "matchCriteriaId": "3827F0D4-5FEE-4181-B267-5A45E7CA11FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc7:*:*:*:*:*:*", "matchCriteriaId": "7A9C2DE5-43B8-4D73-BDB5-EA55C7671A52", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference\n\nThere is a race condition in nvmet_bio_done() that can cause a NULL\npointer dereference in blk_cgroup_bio_start():\n\n1. nvmet_bio_done() is called when a bio completes\n2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req)\n3. The queue_response callback can re-queue and re-submit the same request\n4. The re-submission reuses the same inline_bio from nvmet_req\n5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)\n invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL\n6. The re-submitted bio enters submit_bio_noacct_nocheck()\n7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n RIP: 0010:blk_cgroup_bio_start+0x10/0xd0\n Call Trace:\n submit_bio_noacct_nocheck+0x44/0x250\n nvmet_bdev_execute_rw+0x254/0x370 [nvmet]\n process_one_work+0x193/0x3c0\n worker_thread+0x281/0x3a0\n\nFix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()\nBEFORE nvmet_req_complete(). This ensures the bio is cleaned up before\nthe request can be re-submitted, preventing the race condition."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnvmet: corregir condici\u00f3n de carrera en nvmet_bio_done() que lleva a una desreferencia de puntero NULL\n\nExiste una condici\u00f3n de carrera en nvmet_bio_done() que puede causar una desreferencia de puntero NULL en blk_cgroup_bio_start():\n\n1. nvmet_bio_done() es llamada cuando un bio se completa\n2. nvmet_req_complete() es llamada, lo que invoca req->ops->queue_response(req)\n3. La devoluci\u00f3n de llamada queue_response puede volver a encolar y volver a enviar la misma solicitud\n4. El reenv\u00edo reutiliza el mismo inline_bio de nvmet_req\n5. Mientras tanto, nvmet_req_bio_put() (llamada despu\u00e9s de nvmet_req_complete) invoca bio_uninit() para inline_bio, lo que establece bio->bi_blkg en NULL\n6. El bio reenviado entra en submit_bio_noacct_nocheck()\n7. blk_cgroup_bio_start() desreferencia bio->bi_blkg, causando un fallo:\n\n ERROR: desreferencia de puntero NULL del kernel, direcci\u00f3n: 0000000000000028\n #PF: acceso de lectura de supervisor en modo kernel\n RIP: 0010:blk_cgroup_bio_start+0x10/0xd0\n Rastro de Llamada:\n submit_bio_noacct_nocheck+0x44/0x250\n nvmet_bdev_execute_rw+0x254/0x370 [nvmet]\n process_one_work+0x193/0x3c0\n worker_thread+0x281/0x3a0\n\nCorregir esto reordenando nvmet_bio_done() para llamar a nvmet_req_bio_put() ANTES de nvmet_req_complete(). Esto asegura que el bio se limpie antes de que la solicitud pueda ser reenviada, previniendo la condici\u00f3n de carrera."}], "id": "CVE-2026-23148", "lastModified": "2026-04-03T14:16:24.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T16:15:54.913", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/68207ceefd71cc74ce4e983fa9bd10c3122e349b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ee10b06980acca1d46e0fa36d6fb4a9578eab6e4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference", "id": "2439904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439904"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23148", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23148\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23148\nhttps://lore.kernel.org/linux-cve-announce/2026021413-CVE-2026-23148-bb5d@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[431e58d56fcb5ff1f9eb630724a922e0d2a941df,ee10b06980acca1d46e0fa36d6fb4a9578eab6e4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[190f4c2c863af7cc5bb354b70e0805f06419c038,68207ceefd71cc74ce4e983fa9bd10c3122e349b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[190f4c2c863af7cc5bb354b70e0805f06419c038,0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "2e2028fcf924d1c6df017033c8d6e28b735a0508"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.16"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.16)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.69,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.9,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-16T06:49:13.212626+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a release that includes the nvmet_bio_done reordering patch (e.g., kernel 6.16 or newer stable releases).", "If a kernel update is not immediately available, consider disabling the nvmet (NVMe over Fabrics) driver until the patch is applied.", "If disabling the driver is not feasible, restrict NVMe target traffic by firewall rules or network segmentation to limit the attack surface until the kernel is upgraded."], "summary": {"action": "Apply patch", "impact": "Kernel crash leading to denial of service"}, "threat_synthesis": {"affected_systems": "Affected kernel releases include Linux 6.16 from release candidate 5 through 7 and Linux 6.19 from release candidate 1 through 7. Any kernel built from these branches that has not incorporated the nvmet_bio_done reordering fix remains vulnerable. Earlier nightly builds and the generic kernel before the patch are also affected.", "description_and_impact": "A race condition exists in the nvmet module of the Linux kernel where the nvmet_bio_done() function can be executed after a request has been re\u2011queued, leading to a NULL pointer dereference in blk_cgroup_bio_start(). This vulnerability triggers a kernel panic and system crash, disrupting availability. The weakness is a NULL pointer dereference (CWE\u2011476) and does not directly enable code execution but can be exploited to cause denial of service if an attacker can influence NVMe target requests.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, and the EPSS score of less than 1% suggests a very low probability of real\u2011world exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need local or privileged access to manipulate NVMe traffic that targets the system\u2019s NVMe over Fabrics subsystem. Because the flaw leads to a crash rather than code execution, the probable impact is denial of service rather than privilege escalation."}}}}, "created": "2026-02-16T12:01:19.467050+00:00", "updated": "2026-04-16T07:00:10.977146+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}