CVE-2026-23112
CRITICAL EPSS 31.7%
Published Feb 13, 20264mo ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Published Feb 13, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago
Description
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
31.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-787 Out-of-bounds Write Memory Safety
Affected Products 14
| Vendor | Product | Version | Range |
|---|---|---|---|
| linux | linux_kernel | * | ≥5.0 – <5.10.250 |
| linux | linux_kernel | * | ≥5.11 – <5.15.200 |
| linux | linux_kernel | * | ≥5.16 – <6.1.163 |
| linux | linux_kernel | * | ≥6.2 – <6.6.124 |
| linux | linux_kernel | * | ≥6.7 – <6.12.70 |
| linux | linux_kernel | * | ≥6.13 – <6.18.10 |
| linux | linux_kernel | 6.19 | any |
| linux | linux_kernel | 6.19 | any |
| linux | linux_kernel | 6.19 | any |
| linux | linux_kernel | 6.19 | any |
| linux | linux_kernel | 6.19 | any |
| linux | linux_kernel | 6.19 | any |
| linux | linux_kernel | 6.19 | any |
| linux | linux_kernel | 6.19 | any |
References 8
- cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-253495.html
- git.kernel.org https://git.kernel.org/stable/c/0b9981751be14b59b4473383c731c833738aebdb
- git.kernel.org https://git.kernel.org/stable/c/1385be357e8acd09b36e026567f3a9d5c61139de
- git.kernel.org https://git.kernel.org/stable/c/19672ae68d52ff75347ebe2420dde1b07adca09f
- git.kernel.org https://git.kernel.org/stable/c/42afe8ed8ad2de9c19457156244ef3e1eca94b5d
- git.kernel.org https://git.kernel.org/stable/c/52a0a98549344ca20ad81a4176d68d28e3c05a5c
- git.kernel.org https://git.kernel.org/stable/c/ab200d71553bdcf4de554a5985b05b2dd606bc57
- git.kernel.org https://git.kernel.org/stable/c/dca1a6ba0da9f472ef040525fab10fd9956db59f
Remediation
- git.kernel.org https://git.kernel.org/stable/c/1385be357e8acd09b36e026567f3a9d5c61139de
- git.kernel.org https://git.kernel.org/stable/c/19672ae68d52ff75347ebe2420dde1b07adca09f
- git.kernel.org https://git.kernel.org/stable/c/42afe8ed8ad2de9c19457156244ef3e1eca94b5d
- git.kernel.org https://git.kernel.org/stable/c/52a0a98549344ca20ad81a4176d68d28e3c05a5c
- git.kernel.org https://git.kernel.org/stable/c/ab200d71553bdcf4de554a5985b05b2dd606bc57
- git.kernel.org https://git.kernel.org/stable/c/dca1a6ba0da9f472ef040525fab10fd9956db59f