CVE-2026-23112
CRITICALLinux Kernel 5.0.0-6.18.9 - Out-of-bounds Write in nvmet-tcp PDU Builder
Title source: llmDescription
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.
References (9)
Core 9
Core References
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-253495.html
Scores
CVSS v3
9.8
EPSS
0.0040
EPSS Percentile
32.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-787
Status
published
Products (27)
linux/Kernel
5.0.0 - 5.10.250linux
linux/Kernel
5.0.0 - 5.10.253linux
linux/Kernel
5.11.0 - 5.15.200linux
linux/Kernel
5.16.0 - 6.1.163linux
linux/Kernel
6.13.0 - 6.18.10linux
linux/Kernel
6.2.0 - 6.6.124linux
linux/Kernel
6.7.0 - 6.12.70linux
Linux/Linux
< 5.0
Linux/Linux
5.0
Linux/Linux
5.10.250 - 5.10.*
... and 17 more
Published
Feb 13, 2026
Tracked Since
Feb 18, 2026