CVE-2026-22998

EPSS 0.02%
Veröffentlicht 25.01.2026 14:36:12
Zuletzt bearbeitet 30.01.2026 10:15:56
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec

Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
added ttag bounds checking and data_offset
validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
whether the command's data structures (cmd->req.sg and cmd->iov) have
been properly initialized before processing H2C_DATA PDUs.

The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
without NULL checks. This can be triggered by sending H2C_DATA PDU
immediately after the ICREQ/ICRESP handshake, before
sending a CONNECT command or NVMe write command.

Attack vectors that trigger NULL pointer dereferences:
1. H2C_DATA PDU sent before CONNECT → both pointers NULL
2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
3. H2C_DATA PDU for uninitialized command slot → both pointers NULL

The fix validates both cmd->req.sg and cmd->iov before calling
nvmet_tcp_build_pdu_iovec(). Both checks are required because:
- Uninitialized commands: both NULL
- READ commands: cmd->req.sg allocated, cmd->iov NULL
- WRITE commands: both allocated

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4

Version 24e05760186dc070d3db190ca61efdbce23afc88

Status affected

Version < 3def5243150716be86599c2a1767c29c68838b6d

Version efa56305908ba20de2104f1b8508c6a7401833be

Status affected

Version < 374b095e265fa27465f34780e0eb162ff1bef913

Version efa56305908ba20de2104f1b8508c6a7401833be

Status affected

Version < 32b63acd78f577b332d976aa06b56e70d054cbba

Version efa56305908ba20de2104f1b8508c6a7401833be

Status affected

Version ee5e7632e981673f42a50ade25e71e612e543d9d

Status affected

Version f775f2621c2ac5cc3a0b3a64665dad4fb146e510

Status affected

Version 4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d

Status affected

Version 2871aa407007f6f531fae181ad252486e022df42

Status affected

Version 70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.8

Status affected

Version < 6.8

Version 0

Status unaffected

Version <= 6.6.*

Version 6.6.122

Status unaffected

Version <= 6.12.*

Version 6.12.67

Status unaffected

Version <= 6.18.*

Version 6.18.7

Status unaffected

Version <= *

Version 6.19-rc6

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.055

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d

https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913

https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba

https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4

https://nvd.nist.gov/vuln/detail/CVE-2026-22998

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22998

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22998

EUVD