CVE-2026-23112 PUBLISHED

nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec

Assigner: Linux
Reserved: 13.01.2026 Published: 13.02.2026 Updated: 13.02.2026

In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec

nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 872d26a391da92ed8f0c0f5cb5fef428067b7f30 to 043b4307a99f902697349128fde93b2ddde4686c (excl.)
  • affected from 872d26a391da92ed8f0c0f5cb5fef428067b7f30 to 42afe8ed8ad2de9c19457156244ef3e1eca94b5d (excl.)
  • affected from 872d26a391da92ed8f0c0f5cb5fef428067b7f30 to 1385be357e8acd09b36e026567f3a9d5c61139de (excl.)
  • affected from 872d26a391da92ed8f0c0f5cb5fef428067b7f30 to dca1a6ba0da9f472ef040525fab10fd9956db59f (excl.)
  • affected from 872d26a391da92ed8f0c0f5cb5fef428067b7f30 to 19672ae68d52ff75347ebe2420dde1b07adca09f (excl.)
  • affected from 872d26a391da92ed8f0c0f5cb5fef428067b7f30 to ab200d71553bdcf4de554a5985b05b2dd606bc57 (excl.)
  • affected from 872d26a391da92ed8f0c0f5cb5fef428067b7f30 to 52a0a98549344ca20ad81a4176d68d28e3c05a5c (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 5.0 is affected
  • unaffected from 0 to 5.0 (excl.)
  • unaffected from 5.10.250 to 5.10.* (incl.)
  • unaffected from 5.15.200 to 5.15.* (incl.)
  • unaffected from 6.1.163 to 6.1.* (incl.)
  • unaffected from 6.6.124 to 6.6.* (incl.)
  • unaffected from 6.12.70 to 6.12.* (incl.)
  • unaffected from 6.18.10 to 6.18.* (incl.)
  • unaffected from 6.19 to * (incl.)

References