CVE-2026-52989
Analyzed Analyzed - Analysis Complete

NVMe/TCP Out-of-Bounds PDU Handling Flaw in Linux Kernel

Vulnerability report for CVE-2026-52989, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-15

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized. Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator. Fix this by shifting the error handling responsibility to the callers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 7.1
linux linux_kernel From 5.10.250 (inc) to 5.11 (exc)
linux linux_kernel From 5.15.200 (inc) to 5.16 (exc)
linux linux_kernel From 6.1.163 (inc) to 6.1.175 (exc)
linux linux_kernel From 6.12.70 (inc) to 6.12.91 (exc)
linux linux_kernel From 6.18.10 (inc) to 6.18.33 (exc)
linux linux_kernel From 6.19.1 (inc) to 7.0.10 (exc)
linux linux_kernel From 6.6.124 (inc) to 6.6.141 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-390 The product detects a specific error, but takes no actions to handle the error.
CWE-908 The product uses or accesses a resource that has not been initialized.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's nvmet-tcp component. Specifically, the function nvmet_tcp_build_pdu_iovec() detects errors such as out-of-bounds PDU length or offset and triggers a fatal error, but because it returns void, its callers do not know an error occurred. As a result, callers like nvmet_tcp_handle_h2c_data_pdu() continue processing and overwrite queue state, leading to attempts to read network data into an uninitialized iterator. This improper error propagation can cause unexpected behavior in the network data handling.

Impact Analysis

The vulnerability can cause the Linux kernel's network receiving loop to operate on uninitialized data structures, potentially leading to memory corruption or crashes. This may affect system stability and reliability when handling network data over nvmet-tcp, possibly resulting in denial of service or other unpredictable behavior.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52989. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart