CVE-2026-22998
Description
In the Linux kernel, the following vulnerability has been resolved:nvme-tcp: fix null pointer dereferences in nvmet_tcp_build_pdu_iovecCommit efa56305908b (nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length)added ttag bounds checking and data_offsetvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validatewhether the commands data structures (cmd->req.sg and cmd->iov) havebeen properly initialized before processing H2C_DATA PDUs.The nvmet_tcp_build_pdu_iovec() function dereferences these pointerswithout null checks. This can be triggered by sending H2C_DATA PDUimmediately after the ICREQ/ICRESP handshake, beforesending a CONNECT command or NVMe write command.Attack vectors that trigger null pointer dereferences:1. H2C_DATA PDU sent before CONNECT both pointers null2. H2C_DATA PDU for READ command cmd->req.sg allocated, cmd->iov null3. H2C_DATA PDU for uninitialized command slot both pointers nullThe fix validates both cmd->req.sg and cmd->iov before callingnvmet_tcp_build_pdu_iovec(). Both checks are required because:- Uninitialized commands: both null- READ commands: cmd->req.sg allocated, cmd->iov null- WRITE commands: both allocated
Risk Information
Associated Vulnerability
No records foundPatch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234