{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46135","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.099Z","datePublished":"2026-05-28T09:35:49.828Z","dateUpdated":"2026-07-04T11:50:41.012Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-07-04T11:50:41.012Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: fix race between ICReq handling and queue teardown\n\nnvmet_tcp_handle_icreq() updates queue->state after sending an\nInitialization Connection Response (ICResp), but it does so without\nserializing against target-side queue teardown.\n\nIf an NVMe/TCP host sends an Initialization Connection Request\n(ICReq) and immediately closes the connection, target-side teardown\nmay start in softirq context before io_work drains the already\nbuffered ICReq. In that case, nvmet_tcp_schedule_release_queue()\nsets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue\nreference under state_lock.\n\nIf io_work later processes that ICReq, nvmet_tcp_handle_icreq() can\nstill overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the\nDISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and\nallows a later socket state change to re-enter teardown and issue a\nsecond kref_put() on an already released queue.\n\nThe ICResp send failure path has the same problem. If teardown has\nalready moved the queue to DISCONNECTING, a send error can still\noverwrite the state with NVMET_TCP_Q_FAILED, again reopening the\nwindow for a second teardown path to drop the queue reference.\n\nFix this by serializing both post-send state transitions with\nstate_lock and bailing out if teardown has already started.\n\nUse -ESHUTDOWN as an internal sentinel for that bail-out path rather\nthan propagating it as a transport error like -ECONNRESET. Keep\nnvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before\nhonoring that sentinel so receive-side parsing stays quiesced until the\nexisting release path completes."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/nvme/target/tcp.c"],"versions":[{"version":"872d26a391da92ed8f0c0f5cb5fef428067b7f30","lessThan":"5f0b95ef68ab9afba75b20eebf436130f80c161a","status":"affected","versionType":"git"},{"version":"872d26a391da92ed8f0c0f5cb5fef428067b7f30","lessThan":"49891c8fe0cb43fbbe480da1cdccfbbaeb820cb3","status":"affected","versionType":"git"},{"version":"872d26a391da92ed8f0c0f5cb5fef428067b7f30","lessThan":"67e1aaf93b495c2f10bc8a5fbba575fbb7f449b6","status":"affected","versionType":"git"},{"version":"872d26a391da92ed8f0c0f5cb5fef428067b7f30","lessThan":"dcfe4d1f7960e7d1c01642318f3aae1a604f8508","status":"affected","versionType":"git"},{"version":"872d26a391da92ed8f0c0f5cb5fef428067b7f30","lessThan":"5293a8882c549fab4a878bc76b0b6c951f980a61","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/nvme/target/tcp.c"],"versions":[{"version":"5.0","status":"affected"},{"version":"0","lessThan":"5.0","status":"unaffected","versionType":"semver"},{"version":"6.6.144","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.6.144"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.12.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.18.30"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"7.0.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5f0b95ef68ab9afba75b20eebf436130f80c161a"},{"url":"https://git.kernel.org/stable/c/49891c8fe0cb43fbbe480da1cdccfbbaeb820cb3"},{"url":"https://git.kernel.org/stable/c/67e1aaf93b495c2f10bc8a5fbba575fbb7f449b6"},{"url":"https://git.kernel.org/stable/c/dcfe4d1f7960e7d1c01642318f3aae1a604f8508"},{"url":"https://git.kernel.org/stable/c/5293a8882c549fab4a878bc76b0b6c951f980a61"}],"title":"nvmet-tcp: fix race between ICReq handling and queue teardown","x_generator":{"engine":"bippy-1.2.0"}}}}