CVE-2026-23376
Received Received - Intake
Use-After-Free Vulnerability in Linux nvmet-fcloop Transport Layer

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nvmet-fcloop: Check remoteport port_state before calling done callback In nvme_fc_handle_ls_rqst_work, the lsrsp->done callback is only set when remoteport->port_state is FC_OBJSTATE_ONLINE. Otherwise, the nvme_fc_xmt_ls_rsp's LLDD call to lport->ops->xmt_ls_rsp is expected to fail and the nvme-fc transport layer itself will directly call nvme_fc_xmt_ls_rsp_free instead of relying on LLDD's done callback to free the lsrsp resources. Update the fcloop_t2h_xmt_ls_rsp routine to check remoteport->port_state. If online, then lsrsp->done callback will free the lsrsp. Else, return -ENODEV to signal the nvme-fc transport to handle freeing lsrsp.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23376
EUVD
EUVD-2026-15366
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.18
linux linux_kernel From 6.18.1 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.17.3 (inc) to 6.18 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's nvmet-fcloop component. It involves improper handling of the remoteport's port_state before calling the done callback in the nvme_fc_handle_ls_rqst_work function.

Specifically, the done callback for lsrsp is only set when the remoteport's port_state is FC_OBJSTATE_ONLINE. If the port_state is not online, the low-level driver (LLDD) call to transmit the response is expected to fail, and the nvme-fc transport layer will handle freeing the resources directly instead of relying on the done callback.

The fix updates the fcloop_t2h_xmt_ls_rsp routine to check the remoteport's port_state before proceeding. If the port is online, the done callback is used to free resources; otherwise, it returns an error (-ENODEV) to signal the transport layer to free the resources.


How can this vulnerability impact me? :

This vulnerability relates to the Linux kernel's nvmet-fcloop component where improper checking of the remoteport's port_state before calling the done callback could lead to incorrect handling of resources. If the port_state is not online, the done callback might not be set, potentially causing resource management issues in the nvme-fc transport layer.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart