CVE-2026-22998

HIGH EPSS 48.9%
Published Jan 25, 20265mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Jan 25, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
48.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥5.4.268  –  <5.5
linuxlinux_kernel*≥5.10.209  –  <5.10.249
linuxlinux_kernel*≥5.15.148  –  <5.15.199
linuxlinux_kernel*≥6.1.75  –  <6.1.162
linuxlinux_kernel*≥6.6.14  –  <6.6.122
linuxlinux_kernel*≥6.7.2  –  <6.12.67
linuxlinux_kernel*≥6.13  –  <6.18.7
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4
    Patch