CVE-2026-23112 – Null Pointer Dereference in NVMe/TCP (nvmet_tcp_build_pdu_iovec)

  • Blog
  • CVE-2026-23112 – Null Pointer Dereference in NVMe/TCP (nvmet_tcp_build_pdu_iovec)

Knowledge Base

Site Reliability Experience

View Categories

CVE-2026-23112 – Null Pointer Dereference in NVMe/TCP (nvmet_tcp_build_pdu_iovec)

3 min read

Table of Contents

Overview #

CVE ID: CVE-2026-23112
Component: Linux Kernel – NVMe over TCP target (nvmet-tcp)
Affected function: nvmet_tcp_build_pdu_iovec()
Severity: Medium / High (kernel crash / DoS vector depending on context)

This vulnerability affects the Linux kernel NVMe/TCP target implementation, specifically within the function responsible for building protocol data unit (PDU) I/O vectors.

Technical Description #

The issue originates from insufficient validation of scatter-gather (SG) list boundaries when processing NVMe/TCP PDUs.

According to the official vulnerability description:

  • The function may iterate beyond the valid scatter-gather list (cmd->req.sg) when handling malformed or crafted PDUs.
  • This happens when PDU length or offset exceeds the number of SG entries (sg_cnt).
  • As a result, the kernel may use invalid memory references (bogus sg->length or offsets).

This improper bounds handling can lead to:

  • Out-of-bounds memory access
  • NULL pointer dereference
  • General Protection Fault (GPF) or kernel panic
  • Potential Denial of Service (DoS) conditions

Root Cause #

The vulnerability is caused by:

  • Missing validation of:
    • Scatter-gather index (sg_idx)
    • Remaining SG entries
    • SG entry length and offsets
  • Lack of defensive checks before building the block vector (bvec)

In short, the function assumes valid input from the network, which allows malformed NVMe/TCP traffic to trigger unsafe memory access.

Impact #

An attacker capable of sending crafted NVMe/TCP traffic to a vulnerable system could:

  • Trigger a kernel crash
  • Cause service disruption (DoS)
  • Potentially impact storage availability in NVMe/TCP environments

There is no evidence of privilege escalation, but reliability and availability are directly affected.

Affected Systems #

  • Linux kernel versions where:
    • NVMe target (nvmet) is enabled
    • NVMe over TCP (nvmet-tcp) is in use
  • Systems exposing NVMe/TCP targets to untrusted or external networks

Distributions tracking this vulnerability (e.g., Debian) include it in their security advisories and patch cycles.

Fix / Patch #

The upstream fix introduces:

  • Proper bounds checking for:
    • SG index
    • Number of entries
    • Length and offset validation
  • Prevention of invalid memory traversal during PDU processing

Patched kernel versions include stable branches where these checks were added (e.g., 5.10.x, 5.15.x, 6.x stable lines with fixes applied).

Mitigation #

If patching is not immediately possible:

  • Disable NVMe/TCP target functionality if not required
  • Restrict access to NVMe/TCP services via:
    • Network segmentation
    • Firewall rules
  • Avoid exposing NVMe/TCP endpoints to untrusted networks

RELIANOID Impact Assessment #

Exposure Status #

RELIANOID Load Balancer is NOT affected by this vulnerability.

Reason #

The vulnerability exists in the NVMe/TCP target subsystem, which:

  • Is not used by RELIANOID
  • Is not loaded in default deployments

RELIANOID focuses on network load balancing and application delivery, not NVMe storage target services

Therefore: Even if the underlying kernel contains the vulnerable code, it is not reachable nor exploitable in RELIANOID environments.

RELIANOID Patch Policy #

Although not exploitable in RELIANOID deployments, security best practices are followed:

The official fix is included in:

  • RELIANOID Enterprise Edition (EE) > 8.5
  • RELIANOID Community Edition (CE) > 7.9

This ensures:

  • Alignment with upstream kernel security patches
  • Compliance with security standards and vulnerability scanning tools
  • Reduced false positives in compliance audits

Recommendation #

  • No immediate action required for RELIANOID users
  • Upgrade to: EE > 8.5 and CE > 7.9 to maintain full security compliance

References #

National Vulnerability Database – CVE-2026-23112
Debian Security Tracker – CVE-2026-23112
Linux kernel patch notes (nvmet-tcp bounds checking fix)

Summary #

CVE-2026-23112 is a kernel-level vulnerability in the NVMe/TCP target path that can lead to kernel crashes due to improper bounds checking. While relevant for storage systems using NVMe/TCP, it does not impact RELIANOID deployments, as the affected module is neither used nor loaded. Nonetheless, patched versions are included in recent RELIANOID releases to ensure full security compliance.

📄 Download this document in PDF format #

    EMAIL: *

    Powered by BetterDocs