CRITICAL Published 2026-02-13

nvme-tcp PDU Buffer Overflow

CVE-2026-23112

CVSS 9.8 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI9.8CRITICAL

01Description

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A critical buffer overflow in the NVMe over TCP target driver allows remote attackers to cause kernel crashes or potentially execute arbitrary code by sending specially crafted PDUs with invalid length/offset values. This affects any system running NVMe over TCP target services.

Affecteddrivers/nvme/target/tcp.c

Vulnerability analysis

Root Cause: The nvmet_tcp_build_pdu_iovec() function lacks bounds checking when iterating through scatter-gather list entries. When a PDU length or offset exceeds the available sg_cnt, the function can walk past the end of cmd->req.sg array and access invalid memory locations, using bogus sg->length/offset values.

Attack Surface: Network-accessible through NVMe over TCP protocol. Requires ability to send malformed NVMe-TCP PDUs with crafted length/offset values to trigger the out-of-bounds access. No special privileges required beyond network connectivity to the NVMe target.

Fix Mechanism: The patch adds comprehensive bounds checking: (1) validates sg_idx against sg_cnt before initial sg access, (2) tracks remaining sg entries during iteration, (3) validates each sg entry has non-zero length and sufficient data for the requested offset, (4) calls nvmet_tcp_fatal_error() to safely handle boundary violations instead of continuing with invalid memory access.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`0b9981751be1`
5.15	5.15.200	`42afe8ed8ad2`
6.1	6.1.163	`1385be357e8a`
6.12	6.12.70	`19672ae68d52`
6.18	6.18.10	`ab200d71553b`
6.6	6.6.124	`dca1a6ba0da9`
mainline	6.19	`52a0a9854934`