CVE-2026-23148
Race Condition in Linux nvmet Causes NULL Pointer Dereference
Publication date: 2026-02-14
Last updated on: 2026-04-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 6.12.37 (inc) to 6.12.69 (exc) |
| linux | linux_kernel | From 6.15.6 (inc) to 6.16 (exc) |
| linux | linux_kernel | From 6.16.1 (inc) to 6.18.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a race condition in the Linux kernel's nvmet module, specifically in the function nvmet_bio_done().
When a bio (block I/O operation) completes, nvmet_bio_done() is called, which eventually leads to re-queuing and re-submitting the same request. However, due to the order of operations, the bio's internal data structure (inline_bio) is cleaned up (its bi_blkg field set to NULL) after the request is completed but before the re-submission.
This causes a NULL pointer dereference in blk_cgroup_bio_start() when it tries to access bio->bi_blkg, leading to a kernel crash.
The fix involves reordering the calls in nvmet_bio_done() to ensure the bio is cleaned up before the request can be re-submitted, preventing the race condition.
How can this vulnerability impact me? :
This vulnerability can cause a kernel NULL pointer dereference, which leads to a kernel crash (system crash or panic).
Such crashes can result in denial of service (DoS) conditions, making the affected system unstable or unavailable until it is rebooted or the issue is resolved.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by a race condition in the Linux kernel's nvmet module leading to a NULL pointer dereference and kernel crash.
To mitigate this vulnerability, update your Linux kernel to a version where the nvmet_bio_done() function has been fixed by reordering calls so that nvmet_req_bio_put() is called before nvmet_req_complete(). This ensures proper cleanup of the bio before any re-submission, preventing the race condition.