nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers_CVE-2026-52989

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers

Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds
PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue)
and returns early. However, because the function returns void, the
callers are entirely unaware that a fatal error has occurred and
that the cmd->recv_msg.msg_iter was left uninitialized.

Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly
overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA
Consequently, the socket receiving loop may attempt to read incoming
network data into the uninitialized iterator.

Fix this by shifting the error handling responsibility to the callers.

AI Analysis

A vulnerability in the Linux kernel's nvmet-tcp module allows an attacker to cause a denial of service or potentially execute arbitrary code, due to the improper handling of errors in the nvmet_tcp_build_pdu_iovec() function.

Basic Information

ID CVE-2026-52989

Source Linux

Published Jun 24, 2026 at 16:29

Modified Jun 28, 2026 at 06:37

Affected Product

Vendor Linux

Product Linux

Version 1385be357e8acd09b36e026567f3a9d5c61139de

Affected Versions Linux Linux 1385be357e8acd09b36e026567f3a9d5c61139de
Linux Linux dca1a6ba0da9f472ef040525fab10fd9956db59f
Linux Linux 19672ae68d52ff75347ebe2420dde1b07adca09f
Linux Linux ab200d71553bdcf4de554a5985b05b2dd606bc57
Linux Linux 52a0a98549344ca20ad81a4176d68d28e3c05a5c
Linux Linux 52a0a98549344ca20ad81a4176d68d28e3c05a5c
Linux Linux 043b4307a99f902697349128fde93b2ddde4686c
Linux Linux 42afe8ed8ad2de9c19457156244ef3e1eca94b5d
Linux Linux 6.1.163
Linux Linux 6.6.124
Linux Linux 6.12.70
Linux Linux 6.18.10
Linux Linux 5.10.250
Linux Linux 5.15.200
Linux Linux 6.19

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Linux

Product Linux Kernel

Version 5.10.250, 5.15.200, 6.1.163, 6.6.124, 6.12.70, 6.18.10, 6.19

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers\n\nCurrently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds\nPDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue)\nand returns early. However, because the function returns void, the\ncallers are entirely unaware that a fatal error has occurred and\nthat the cmd->recv_msg.msg_iter was left uninitialized.\n\nCallers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly\noverwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA\nConsequently, the socket receiving loop may attempt to read incoming\nnetwork data into the uninitialized iterator.\n\nFix this by shifting the error handling responsibility to the callers.",
    "published": "2026-06-24T16:29:03.398Z",
    "modified": "2026-06-28T06:37:43.647Z",
    "type": "cve",
    "title": "nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/3df42a854686fa06484e37ac1a3931c8e3e3453c\nhttps://git.kernel.org/stable/c/d7c8f95f599b3b38a717d2e771c3f8c174f657c3\nhttps://git.kernel.org/stable/c/f9204a2b78dd18374d3bcf9bf93d9021ce22de1b\nhttps://git.kernel.org/stable/c/c2a11441538bdbbc5aa003f190995eba93a89b88\nhttps://git.kernel.org/stable/c/046fa5c72d15cd8e2d592e275697ea399d8f76b0\nhttps://git.kernel.org/stable/c/ea8e356acb165cb1fd75537a52e1f66e5e76c538",
    "id": "CVE-2026-52989",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 1385be357e8acd09b36e026567f3a9d5c61139de\nLinux Linux dca1a6ba0da9f472ef040525fab10fd9956db59f\nLinux Linux 19672ae68d52ff75347ebe2420dde1b07adca09f\nLinux Linux ab200d71553bdcf4de554a5985b05b2dd606bc57\nLinux Linux 52a0a98549344ca20ad81a4176d68d28e3c05a5c\nLinux Linux 52a0a98549344ca20ad81a4176d68d28e3c05a5c\nLinux Linux 043b4307a99f902697349128fde93b2ddde4686c\nLinux Linux 42afe8ed8ad2de9c19457156244ef3e1eca94b5d\nLinux Linux 6.1.163\nLinux Linux 6.6.124\nLinux Linux 6.12.70\nLinux Linux 6.18.10\nLinux Linux 5.10.250\nLinux Linux 5.15.200\nLinux Linux 6.19",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "1385be357e8acd09b36e026567f3a9d5c61139de",
    "vendor": "Linux",
    "ai_description": "A vulnerability in the Linux kernel's nvmet-tcp module allows an attacker to cause a denial of service or potentially execute arbitrary code, due to the improper handling of errors in the nvmet_tcp_build_pdu_iovec() function.",
    "ai_severity": "Critical",
    "ai_vendor": "Linux",
    "ai_product": "Linux Kernel",
    "ai_version": "5.10.250, 5.15.200, 6.1.163, 6.6.124, 6.12.70, 6.18.10, 6.19",
    "ai_score": 9.8
}