CVE-2026-52989: nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized. Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator. Fix this by shifting the error handling responsibility to the callers.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
An uninitialized memory iterator vulnerability exists in the Linux kernel's NVMe-over-TCP target driver (nvmet-tcp). The flaw is reachable over the network without authentication, because a remote peer sending a malformed PDU (protocol data unit) with an out-of-bounds length or offset causes error-handling code to return without initializing a message iterator, and callers blindly continue using the uninitialized structure. Successful exploitation gives an attacker the ability to read sensitive kernel memory, corrupt kernel data structures, or crash the host. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.
HarborGuard Coverage
Detection of CVE-2026-52989 is available across every HarborGuard environment; the CVE is ingested from upstream Linux kernel advisory feeds within minutes of publication and matched against customer images, including custom-built images containing affected kernel versions. Any image whose kernel falls within the affected commit ranges is flagged automatically in the registry scan results and in CI/CD pipeline checks.
AvailableHarborGuard scores this CVE at 9.8 CRITICAL per CVSS v3.1 and weights that score against each customer environment's compliance policy to determine escalation priority. Findings are routed to the team inbox or ticketing integration configured for the affected workload, so the right engineers see the alert without manual triage.
AvailableA patched-image rebuild targeting the fix commits (including 3df42a854686fa06484e37ac1a3931c8e3e3453c and the additional stable-branch fixes) is available for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the configured regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The nvmet-tcp target listens on a TCP socket; an attacker must be able to reach that socket over the network to send a malformed PDU and trigger the vulnerability.
- AuthenticationNot required
No credentials are needed; the malformed PDU can be sent before any NVMe authentication exchange completes, so any unauthenticated network peer can trigger the flaw.
- Victim interactionNot required
No user or administrator action is required; the attacker sends a crafted packet and the kernel processes it automatically.
- Attack complexityDetail
Exploitation is reliable and condition-free once the target port is reachable; no race conditions or special memory-layout requirements are documented.
Blast Radius
- An attacker can read kernel memory contents reachable through the uninitialized message iterator, exposing in-flight NVMe command data, kernel pointers, and potentially other tenants' I/O buffers.
- An attacker can corrupt kernel data structures by causing the receive loop to write incoming network bytes into arbitrary memory, enabling privilege escalation or persistent backdoor installation.
- The malformed PDU can crash the affected host by triggering a kernel panic or NULL-pointer dereference through the corrupted queue state, taking down all workloads on that node.
How HarborGuard Handles This
Available on HarborGuard: images whose kernel version falls within the affected commit ranges are flagged as CRITICAL within minutes of advisory ingestion. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image against the patched kernel commits, executes the configured regression test suite, and opens a pull request against the affected workload repositories. For high- and critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding appears in the registry dashboard and pipeline results immediately, with remediation steps linked to the upstream fix commits. As a compensating control while a patched image is prepared, network policy rules that restrict nvmet-tcp port access to explicitly trusted initiators reduce the exposed attack surface without requiring a kernel change.
Fix available
- Linux / Linux< 3df42a854686fa06484e37ac1a3931c8e3e3453c (from 1385be357e8acd09b36e026567f3a9d5c61139de) · < d7c8f95f599b3b38a717d2e771c3f8c174f657c3 (from dca1a6ba0da9f472ef040525fab10fd9956db59f) · < f9204a2b78dd18374d3bcf9bf93d9021ce22de1b (from 19672ae68d52ff75347ebe2420dde1b07adca09f) · < c2a11441538bdbbc5aa003f190995eba93a89b88 (from ab200d71553bdcf4de554a5985b05b2dd606bc57) · < 046fa5c72d15cd8e2d592e275697ea399d8f76b0 (from 52a0a98549344ca20ad81a4176d68d28e3c05a5c) · < ea8e356acb165cb1fd75537a52e1f66e5e76c538 (from 52a0a98549344ca20ad81a4176d68d28e3c05a5c)
- Linux / Linux6.19Fixed in 0, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H