HarborGuard / CVE
Back to search
CRITICALCVE-2026-46135Published Modified CNA Linux

CVE-2026-46135: nvmet-tcp: fix race between ICReq handling and queue teardown

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A race condition in the Linux kernel's NVMe-over-TCP target driver (nvmet-tcp) allows an unauthenticated remote attacker to trigger a double free of a kernel queue object by sending a connection request and immediately dropping the connection. The vulnerability is reachable over the network without any credentials or user interaction. Successful exploitation gives the attacker full read, write, and denial-of-service capability against the affected host, up to and including remote code execution. Patched-image rebuilds at the fix versions (6.12.88, 6.18.30, and the named commits) are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built kernel or NVMe-enabled images, in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 9.8 Critical and can weight that score against each environment's compliance policy to determine breach-of-threshold status; triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the fix versions (6.12.88, 6.18.30, or the upstream commits) becomes available on HarborGuard once those versions are detected as the upstream resolution. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the NVMe-over-TCP target port over the network; any host with network access to the exposed service can trigger the race.

  • AuthenticationNot required

    No credentials are needed; the vulnerability is triggered during the unauthenticated connection-initialization handshake.

  • Victim interactionNot required

    No user or administrator action is required on the target system; sending a crafted TCP sequence is sufficient.

  • Attack complexityDetail

    The exploit is reliable and condition-free at the protocol level; the race window exists by design in the normal connection teardown path and does not require specific memory layouts or timing luck beyond the inherent TCP interaction.

Blast Radius

  • An attacker who wins the race triggers a double kref_put on a freed kernel queue object, which corrupts kernel memory and can be used to read arbitrary kernel memory including stored credentials, keys, and session data.
  • The same memory corruption primitive allows writes to arbitrary kernel data structures, enabling privilege escalation or persistent modification of kernel state.
  • The vulnerability can crash the host kernel outright, taking down all workloads and services running on that node.
  • Any container or process sharing the kernel on the affected host is exposed to the full impact of the kernel memory corruption, not just NVMe-connected workloads.

How HarborGuard Handles This

Available on HarborGuard: images running a Linux kernel version prior to 6.12.88 or 6.18.30 (or that do not carry the relevant upstream commits) are flagged as affected by this CVE on every scan and pipeline check. Where compliance policy permits, auto-remediation customers receive a rebuilt image at a patched kernel version, a regression-test run, and a pull request opened against affected workloads, with a median time to merged PR of around 90 minutes for critical-severity findings. For environments where an immediate kernel upgrade is not possible, compensating controls available for consideration include restricting network access to the NVMe-over-TCP target port via network policy or firewall rules to limit the pool of hosts that can reach the vulnerable service, and disabling the nvmet-tcp kernel module if NVMe-over-TCP target functionality is not required. HarborGuard re-checks advisory and fix status on every ingest cycle so that any additional stable-branch backports are reflected automatically.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
49891c8fe0cb43fbbe480da1cdccfbbaeb820cb3
Affected Products
2

Fix available

49891c8fe0cb43fbbe480da1cdccfbbaeb820cb35293a8882c549fab4a878bc76b0b6c951f980a616.12.886.18.3067e1aaf93b495c2f10bc8a5fbba575fbb7f449b67.0.77.1-rc2dcfe4d1f7960e7d1c01642318f3aae1a604f8508
Affected packages
  • Linux / Linux
    < 49891c8fe0cb43fbbe480da1cdccfbbaeb820cb3 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 67e1aaf93b495c2f10bc8a5fbba575fbb7f449b6 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < dcfe4d1f7960e7d1c01642318f3aae1a604f8508 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 5293a8882c549fab4a878bc76b0b6c951f980a61 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 6.12.88 (from 0) · < 6.18.30 (from 0)
  • Linux / Linux
    Fixed in 6.12.88, 6.18.30, 7.0.7, 7.1-rc2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References