CRITICALCVE-2026-23112Published Modified CNA Linux
CVE-2026-23112: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
Fix available
00b9981751be14b59b4473383c731c833738aebdb1385be357e8acd09b36e026567f3a9d5c61139de19672ae68d52ff75347ebe2420dde1b07adca09f42afe8ed8ad2de9c19457156244ef3e1eca94b5d5.10.2535.15.20052a0a98549344ca20ad81a4176d68d28e3c05a5c6.1.1636.6.1246.12.706.18.106.19ab200d71553bdcf4de554a5985b05b2dd606bc57dca1a6ba0da9f472ef040525fab10fd9956db59f
Affected packages
- Linux / Linux< 0b9981751be14b59b4473383c731c833738aebdb (from 872d26a391da92ed8f0c0f5cb5fef428067b7f30) · < 42afe8ed8ad2de9c19457156244ef3e1eca94b5d (from 872d26a391da92ed8f0c0f5cb5fef428067b7f30) · < 1385be357e8acd09b36e026567f3a9d5c61139de (from 872d26a391da92ed8f0c0f5cb5fef428067b7f30) · < dca1a6ba0da9f472ef040525fab10fd9956db59f (from 872d26a391da92ed8f0c0f5cb5fef428067b7f30) · < 19672ae68d52ff75347ebe2420dde1b07adca09f (from 872d26a391da92ed8f0c0f5cb5fef428067b7f30) · < ab200d71553bdcf4de554a5985b05b2dd606bc57 (from 872d26a391da92ed8f0c0f5cb5fef428067b7f30)
- Linux / Linux5.0Fixed in 0, 5.10.253, 5.15.200, 6.1.163, 6.6.124, 6.12.70, 6.18.10, 6.19
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H