CVE-2026-23112

Modified Modified - Updated After Analysis

Out-of-Bounds Read in Linux nvmet-tcp Causes Kernel Crash

Publication date: 2026-02-13

Last updated on: 2026-06-02

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-13

Last Modified

2026-06-02

Generated

2026-06-16

AI Q&A

2026-02-13

EPSS Evaluated

2026-06-15

NVD

CVE-2026-23112

EUVD

EUVD-2026-6171

Affected Vendors & Products

Vendor	Product	Version / Range
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	From 5.16 (inc) to 6.1.163 (exc)
linux	linux_kernel	From 6.7 (inc) to 6.12.70 (exc)
linux	linux_kernel	From 6.2 (inc) to 6.6.124 (exc)
linux	linux_kernel	6.19
linux	linux_kernel	From 6.13 (inc) to 6.18.10 (exc)
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	From 5.0 (inc) to 5.10.250 (exc)
linux	linux_kernel	From 5.11 (inc) to 5.15.200 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-787	The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

Executive Summary

This vulnerability exists in the Linux kernel's nvmet-tcp component, specifically in the function nvmet_tcp_build_pdu_iovec(). The function could read beyond the bounds of the cmd->req.sg array when a Protocol Data Unit (PDU) length or offset exceeds the number of scatter-gather entries (sg_cnt). This out-of-bounds access could cause the function to use invalid scatter-gather length or offset values, potentially leading to a general protection fault (GPF) or Kernel Address Sanitizer (KASAN) error during a memory copy operation (_copy_to_iter()).

Impact Analysis

The impact of this vulnerability could include system crashes or kernel faults due to invalid memory access. This could lead to denial of service conditions where the affected Linux system becomes unstable or unresponsive. Additionally, such faults might be exploitable to cause further security issues, although specific exploitability details are not provided.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Hi! I’m here to help you understand CVE-2026-23112. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-23112

Out-of-Bounds Read in Linux nvmet-tcp Causes Kernel Crash

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart