CVE-2026-52989

CRITICAL

nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized. Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator. Fix this by shifting the error handling responsibility to the callers.

Scores

CVSS v3 9.8
EPSS 0.0034
EPSS Percentile 26.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-390
Status published
Products (27)
linux/Kernel < 6.1.175linux
linux/Kernel 6.13.0 - 6.18.33linux
linux/Kernel 6.19.0 - 7.0.10linux
linux/Kernel 6.2.0 - 6.6.141linux
linux/Kernel 6.7.0 - 6.12.91linux
Linux/Linux < 6.19
Linux/Linux 043b4307a99f902697349128fde93b2ddde4686c
Linux/Linux 1385be357e8acd09b36e026567f3a9d5c61139de - 3df42a854686fa06484e37ac1a3931c8e3e3453c
Linux/Linux 19672ae68d52ff75347ebe2420dde1b07adca09f - f9204a2b78dd18374d3bcf9bf93d9021ce22de1b
Linux/Linux 42afe8ed8ad2de9c19457156244ef3e1eca94b5d
... and 17 more
Published Jun 24, 2026
Tracked Since Jun 24, 2026