CVE-2026-23148

Description

In the Linux kernel, the following vulnerability has been resolved:nvmet: fix race in nvmet_bio_done() leading to null pointer dereferenceThere is a race condition in nvmet_bio_done() that can cause a nullpointer dereference in blk_cgroup_bio_start():1. nvmet_bio_done() is called when a bio completes2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req)3. The queue_response callback can re-queue and re-submit the same request4. The re-submission reuses the same inline_bio from nvmet_req5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete) invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to null6. The re-submitted bio enters submit_bio_noacct_nocheck()7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash: BUG: kernel null pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode RIP: 0010:blk_cgroup_bio_start+0x10/0xd0 Call Trace: submit_bio_noacct_nocheck+0x44/0x250 nvmet_bdev_execute_rw+0x254/0x370 [nvmet] process_one_work+0x193/0x3c0 worker_thread+0x281/0x3a0Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()BEFORE nvmet_req_complete(). This ensures the bio is cleaned up beforethe request can be re-submitted, preventing the race condition.

Risk Information

Base Score

5.5

MODERATE

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score

Exploitation Probability

0.015

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234