CVE-2026-22998
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-25

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT β†’ both pointers NULL 2. H2C_DATA PDU for READ command β†’ cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot β†’ both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-25
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-01-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22998
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.7 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 5.10.209 (inc) to 5.10.249 (exc)
linux linux_kernel From 5.15.148 (inc) to 5.15.199 (exc)
linux linux_kernel From 5.4.268 (inc) to 5.5 (exc)
linux linux_kernel From 6.1.75 (inc) to 6.1.162 (exc)
linux linux_kernel From 6.6.14 (inc) to 6.6.122 (exc)
linux linux_kernel From 6.7.2 (inc) to 6.12.67 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel's nvme-tcp subsystem involves NULL pointer dereferences in the function nvmet_tcp_build_pdu_iovec. The issue occurs because the function dereferences pointers (cmd->req.sg and cmd->iov) without checking if they are NULL. This can be triggered by sending H2C_DATA PDUs prematurely or in certain invalid sequences, such as sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake before a CONNECT or NVMe write command. The vulnerability arises from uninitialized or partially initialized command data structures, leading to potential kernel panics.

Impact Analysis

This vulnerability can cause kernel panics due to NULL pointer dereferences when invalid or premature H2C_DATA PDUs are sent. This can lead to denial of service conditions on affected systems running the vulnerable Linux kernel, potentially disrupting normal operations.

Mitigation Strategies

Apply the patch that fixes the nvmet_tcp_build_pdu_iovec() function by adding NULL pointer checks for cmd->req.sg and cmd->iov before processing H2C_DATA PDUs. This patch prevents kernel panics caused by NULL pointer dereferences triggered by invalid or out-of-order H2C_DATA PDUs. Until patched, avoid sending H2C_DATA PDUs before the CONNECT command or NVMe write commands to reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart