CVE-2025-21927

HIGH

Linux Kernel 5.0-6.12.18, 6.13.0-6.13.6 - Out-of-bounds Write in nvme-tcp Recv PDU Header Length Validation

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() nvme_tcp_recv_pdu() doesn't check the validity of the header length. When header digests are enabled, a target might send a packet with an invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst() to access memory outside the allocated area and cause memory corruptions by overwriting it with the calculated digest. Fix this by rejecting packets with an unexpected header length.

References (3)

Core 3

Core References

Patch

https://git.kernel.org/stable/c/9fbc953d6b38bc824392e01850f0aeee3b348722

Patch

https://git.kernel.org/stable/c/22b06c89aa6b2d1ecb8aea72edfb9d53af8d5126

Patch

https://git.kernel.org/stable/c/ad95bab0cd28ed77c2c0d0b6e76e03e031391064

Scores

CVSS v3 7.8

EPSS 0.0018

EPSS Percentile 7.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-787

Status published

Products (12)

linux/Kernel 5.0.0 - 6.12.19linux

linux/Kernel 6.13.0 - 6.13.7linux

Linux/Linux < 5.0

Linux/Linux 3f2304f8c6d6ed97849057bd16fee99e434ca796 - 22b06c89aa6b2d1ecb8aea72edfb9d53af8d5126

Linux/Linux 3f2304f8c6d6ed97849057bd16fee99e434ca796 - 9fbc953d6b38bc824392e01850f0aeee3b348722

Linux/Linux 3f2304f8c6d6ed97849057bd16fee99e434ca796 - ad95bab0cd28ed77c2c0d0b6e76e03e031391064

Linux/Linux 5.0

Linux/Linux 6.12.19 - 6.12.*

Linux/Linux 6.13.7 - 6.13.*

Linux/Linux 6.14

... and 2 more

Published Apr 01, 2025

Tracked Since Feb 18, 2026