{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-22998","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.938Z","datePublished":"2026-01-25T14:36:12.935Z","dateUpdated":"2026-05-11T21:58:01.694Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:58:01.694Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec\n\nCommit efa56305908b (\"nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\")\nadded ttag bounds checking and data_offset\nvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate\nwhether the command's data structures (cmd->req.sg and cmd->iov) have\nbeen properly initialized before processing H2C_DATA PDUs.\n\nThe nvmet_tcp_build_pdu_iovec() function dereferences these pointers\nwithout NULL checks. This can be triggered by sending H2C_DATA PDU\nimmediately after the ICREQ/ICRESP handshake, before\nsending a CONNECT command or NVMe write command.\n\nAttack vectors that trigger NULL pointer dereferences:\n1. H2C_DATA PDU sent before CONNECT → both pointers NULL\n2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL\n3. H2C_DATA PDU for uninitialized command slot → both pointers NULL\n\nThe fix validates both cmd->req.sg and cmd->iov before calling\nnvmet_tcp_build_pdu_iovec(). Both checks are required because:\n- Uninitialized commands: both NULL\n- READ commands: cmd->req.sg allocated, cmd->iov NULL\n- WRITE commands: both allocated"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/nvme/target/tcp.c"],"versions":[{"version":"f775f2621c2ac5cc3a0b3a64665dad4fb146e510","lessThan":"baabe43a0edefac8cd7b981ff87f967f6034dafe","status":"affected","versionType":"git"},{"version":"4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d","lessThan":"76abc83a9d25593c2b7613c549413079c14a4686","status":"affected","versionType":"git"},{"version":"2871aa407007f6f531fae181ad252486e022df42","lessThan":"7d75570002929d20e40110d6b03e46202c9d1bc7","status":"affected","versionType":"git"},{"version":"24e05760186dc070d3db190ca61efdbce23afc88","lessThan":"fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4","status":"affected","versionType":"git"},{"version":"efa56305908ba20de2104f1b8508c6a7401833be","lessThan":"3def5243150716be86599c2a1767c29c68838b6d","status":"affected","versionType":"git"},{"version":"efa56305908ba20de2104f1b8508c6a7401833be","lessThan":"374b095e265fa27465f34780e0eb162ff1bef913","status":"affected","versionType":"git"},{"version":"efa56305908ba20de2104f1b8508c6a7401833be","lessThan":"32b63acd78f577b332d976aa06b56e70d054cbba","status":"affected","versionType":"git"},{"version":"ee5e7632e981673f42a50ade25e71e612e543d9d","status":"affected","versionType":"git"},{"version":"70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/nvme/target/tcp.c"],"versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","status":"unaffected","versionType":"semver"},{"version":"5.10.249","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.199","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.162","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.122","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.67","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.7","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.209","versionEndExcluding":"5.10.249"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.148","versionEndExcluding":"5.15.199"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.75","versionEndExcluding":"6.1.162"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.14","versionEndExcluding":"6.6.122"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.12.67"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.18.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.268"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe"},{"url":"https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686"},{"url":"https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7"},{"url":"https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4"},{"url":"https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d"},{"url":"https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913"},{"url":"https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba"}],"title":"nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec","x_generator":{"engine":"bippy-1.2.0"}}}}