CVE-2026-23360
Received Received - Intake
Memory Leak in Linux Kernel NVMe Admin Queue on Reset

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin queue leak on controller reset When nvme_alloc_admin_tag_set() is called during a controller reset, a previous admin queue may still exist. Release it properly before allocating a new one to avoid orphaning the old queue. This fixes a regression introduced by commit 03b3bcd319b3 ("nvme: fix admin request_queue lifetime").
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23360
EUVD
EUVD-2026-15339
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.18
linux linux_kernel From 6.18.1 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.12.62 (inc) to 6.12.77 (exc)
linux linux_kernel From 6.17.12 (inc) to 6.18 (exc)
linux linux_kernel From 6.6.120 (inc) to 6.6.131 (exc)
linux linux_kernel 6.1.167
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's NVMe driver related to the handling of the admin queue during a controller reset.

Specifically, when the function nvme_alloc_admin_tag_set() is called during a controller reset, a previous admin queue may still be present but not properly released.

Failing to release the old admin queue before allocating a new one causes the old queue to be orphaned, leading to a resource leak.

This issue was introduced as a regression by a previous commit that aimed to fix the admin request queue lifetime.

Impact Analysis

The vulnerability can lead to a resource leak in the Linux kernel's NVMe driver during controller resets.

This resource leak may cause increased memory usage or depletion of kernel resources over time, potentially leading to degraded system performance or instability.

In environments with frequent NVMe controller resets, this could result in system crashes or failures if resources are exhausted.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23360. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart