CVE-2026-23112
9.8 CRITICALIn the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp...
Published: 2026-02-13 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-787
Affected products
| Vendor | Product |
|---|---|
| linux | linux_kernel |
Description
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-23112
- [Other]https://git.kernel.org/stable/c/0b9981751be14b59b4473383c731c833738aebdb
- [Patch]https://git.kernel.org/stable/c/1385be357e8acd09b36e026567f3a9d5c61139de
- [Patch]https://git.kernel.org/stable/c/19672ae68d52ff75347ebe2420dde1b07adca09f
- [Patch]https://git.kernel.org/stable/c/42afe8ed8ad2de9c19457156244ef3e1eca94b5d
- [Patch]https://git.kernel.org/stable/c/52a0a98549344ca20ad81a4176d68d28e3c05a5c
- [Patch]https://git.kernel.org/stable/c/ab200d71553bdcf4de554a5985b05b2dd606bc57
- [Patch]https://git.kernel.org/stable/c/dca1a6ba0da9f472ef040525fab10fd9956db59f
- [Other]https://cert-portal.siemens.com/productcert/html/ssa-253495.html
Related CVEs
Same vendor
- CVE-2026-46273 — In the Linux kernel, the following vulnerability has been resolved: ibmveth: Disable GSO for packets with small MSS Some physical adapt... (8.6 HIGH)
- CVE-2026-46272 — In the Linux kernel, the following vulnerability has been resolved: coresight: tmc-etr: Fix race condition between sysfs and perf mode ... (4.7 MEDIUM)
- CVE-2026-46271 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: do WoW offloads only on primary link In case of multi... (7.8 HIGH)
- CVE-2026-46270 — In the Linux kernel, the following vulnerability has been resolved: power: supply: rt9455: Fix use-after-free in power_supply_changed() ... (8.4 HIGH)
- CVE-2026-46269 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: canaan: k230: Fix NULL pointer dereference when parsing dev... (5.5 MEDIUM)
Same CWE
- CVE-2026-6676 — Heap buffer out-of-bounds write vulnerability in Avira Antivirus engine when scanning a malformed POSIX tar archive may allow Local Execu... (7.8 HIGH)
- CVE-2025-14098 — Heap buffer out-of-bounds write vulnerability due to integer overflow in Avira Antivirus engine when scanning a malformed MS-DOS executab... (7.8 HIGH)
- CVE-2026-41157 — A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger an out-of-bound write in the GPU ...
- CVE-2026-34195 — Software installed and run as a non-privileged user may conduct intentional GPU sparse memory API calls to cause out of bounds write in t...
- CVE-2025-7004 — Heap buffer out-of-bounds write vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Local Execution of C... (7.8 HIGH)