CVE-2026-23261
Undergoing Analysis Undergoing Analysis - In Progress
Memory Leak in Linux Kernel NVMe-FC Controller Initialization

Publication date: 2026-03-18

Last updated on: 2026-05-22

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nvme-fc: release admin tagset if init fails nvme_fabrics creates an NVMe/FC controller in following path: nvmf_dev_write() -> nvmf_create_ctrl() -> nvme_fc_create_ctrl() -> nvme_fc_init_ctrl() nvme_fc_init_ctrl() allocates the admin blk-mq resources right after nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing the controller state, scheduling connect work, etc.), we jump to the fail_ctrl path, which tears down the controller references but never frees the admin queue/tag set. The leaked blk-mq allocations match the kmemleak report seen during blktests nvme/fc. Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call nvme_remove_admin_tag_set() when it is set so that all admin queue allocations are reclaimed whenever controller setup aborts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-05-22
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23261
EUVD
EUVD-2026-12896
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.17.10 (inc) to 6.18 (exc)
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.12.60 (inc) to 6.12.70 (exc)
linux linux_kernel From 6.18.1 (inc) to 6.18.10 (exc)
linux linux_kernel From 6.6.118 (inc) to 6.6.124 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed by ensuring that the admin tagset is properly released if the NVMe/FC controller initialization fails, preventing memory leaks.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • If updating is not immediately possible, monitor for memory leaks and controller initialization failures to identify potential impact.
  • Consider restarting affected NVMe/FC services or the system to reclaim leaked resources until a patch can be applied.
Executive Summary

This vulnerability exists in the Linux kernel's NVMe over Fibre Channel (nvme-fc) driver. When creating an NVMe/FC controller, if the initialization process fails after allocating admin block multi-queue (blk-mq) resources, the allocated admin tagset is not properly freed. This leads to a memory leak because the admin queue/tag set remains allocated even though the controller setup was aborted.

Specifically, during the controller creation process, if any step after nvme_add_ctrl() succeeds but before completion fails, the code jumps to a failure path that tears down controller references but neglects to free the admin tagset. The fix involves checking if the admin tagset is set in the failure path and calling a function to remove it, ensuring all allocated resources are reclaimed.

Impact Analysis

This vulnerability can cause a memory leak in the Linux kernel when NVMe/FC controllers fail to initialize properly. Over time, repeated failures could lead to increased memory consumption, potentially degrading system performance or causing resource exhaustion.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves a memory leak in the NVMe/FC controller admin tagset when initialization fails. Detection can be approached by monitoring for memory leaks related to NVMe/FC devices on the system.

One way to detect this issue is to use kmemleak, a kernel memory leak detector, since the description mentions that the leaked blk-mq allocations match kmemleak reports seen during tests.

  • Enable kmemleak in the kernel (if not already enabled) and check for reports related to NVMe/FC admin tagset leaks.
  • Use the command: `cat /sys/kernel/debug/kmemleak` to view current memory leak reports.
  • Monitor system logs for errors or warnings related to NVMe/FC controller initialization failures.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23261. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart