{"id":66567,"date":"2026-06-28T03:28:19","date_gmt":"2026-06-28T03:28:19","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=66567"},"modified":"2026-06-28T03:28:19","modified_gmt":"2026-06-28T03:28:19","slug":"nvmet-tcp-propagate-nvmettcpbuildpduiovec-errors-to-its-callers","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=66567","title":{"rendered":"nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers_CVE-2026-52989"},"content":{"rendered":"

{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers\\n\\nCurrently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds\\nPDU length or offset, it triggers nvmet_tcp_fatal_error(cmd-\\u003equeue)\\nand returns early. However, because the function returns void, the\\ncallers are entirely unaware that a fatal error has occurred and\\nthat the cmd-\\u003erecv_msg.msg_iter was left uninitialized.\\n\\nCallers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly\\noverwrite the queue state with queue-\\u003ercv_state = NVMET_TCP_RECV_DATA\\nConsequently, the socket receiving loop may attempt to read incoming\\nnetwork data into the uninitialized iterator.\\n\\nFix this by shifting the error handling responsibility to the callers.”,”published”:”2026-06-24T16:29:03.398Z”,”modified”:”2026-06-28T06:37:43.647Z”,”type”:”cve”,”title”:”nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/3df42a854686fa06484e37ac1a3931c8e3e3453c\\nhttps:\/\/git.kernel.org\/stable\/c\/d7c8f95f599b3b38a717d2e771c3f8c174f657c3\\nhttps:\/\/git.kernel.org\/stable\/c\/f9204a2b78dd18374d3bcf9bf93d9021ce22de1b\\nhttps:\/\/git.kernel.org\/stable\/c\/c2a11441538bdbbc5aa003f190995eba93a89b88\\nhttps:\/\/git.kernel.org\/stable\/c\/046fa5c72d15cd8e2d592e275697ea399d8f76b0\\nhttps:\/\/git.kernel.org\/stable\/c\/ea8e356acb165cb1fd75537a52e1f66e5e76c538″,”id”:”CVE-2026-52989″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux 1385be357e8acd09b36e026567f3a9d5c61139de\\nLinux Linux dca1a6ba0da9f472ef040525fab10fd9956db59f\\nLinux Linux 19672ae68d52ff75347ebe2420dde1b07adca09f\\nLinux Linux ab200d71553bdcf4de554a5985b05b2dd606bc57\\nLinux Linux 52a0a98549344ca20ad81a4176d68d28e3c05a5c\\nLinux Linux 52a0a98549344ca20ad81a4176d68d28e3c05a5c\\nLinux Linux 043b4307a99f902697349128fde93b2ddde4686c\\nLinux Linux 42afe8ed8ad2de9c19457156244ef3e1eca94b5d\\nLinux Linux 6.1.163\\nLinux Linux 6.6.124\\nLinux Linux 6.12.70\\nLinux Linux 6.18.10\\nLinux Linux 5.10.250\\nLinux Linux 5.15.200\\nLinux Linux 6.19″,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”1385be357e8acd09b36e026567f3a9d5c61139de”,”vendor”:”Linux”,”ai_description”:”A vulnerability in the Linux kernel’s nvmet-tcp module allows an attacker to cause a denial of service or potentially execute arbitrary code, due to the improper handling of errors in the nvmet_tcp_build_pdu_iovec() function.”,”ai_severity”:”Critical”,”ai_vendor”:”Linux”,”ai_product”:”Linux Kernel”,”ai_version”:”5.10.250, 5.15.200, 6.1.163, 6.6.124, 6.12.70, 6.18.10, 6.19″,”ai_score”:9.8}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers\\n\\nCurrently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds\\nPDU length or offset, it…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[9,6,8,35,12,13,7,11,5],"class_list":["post-66567","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nnvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers_CVE-2026-52989 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=66567\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers_CVE-2026-52989 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:nnnvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callersnnCurrently, when nvmet_tcp_build_pdu_iovec() detects an out-of-boundsnPDU length or offset, it...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=66567\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-28T03:28:19+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66567#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66567\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers_CVE-2026-52989\",\"datePublished\":\"2026-06-28T03:28:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66567\"},\"wordCount\":517,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_cve\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=66567#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66567\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66567\",\"name\":\"nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers_CVE-2026-52989 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-28T03:28:19+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66567#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=66567\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66567#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers_CVE-2026-52989\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers_CVE-2026-52989 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=66567","og_locale":"en_US","og_type":"article","og_title":"nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers_CVE-2026-52989 - zero redgem","og_description":"{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:nnnvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callersnnCurrently, when nvmet_tcp_build_pdu_iovec() detects an out-of-boundsnPDU length or offset, it...","og_url":"https:\/\/zero.redgem.net\/?p=66567","og_site_name":"zero redgem","article_published_time":"2026-06-28T03:28:19+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=66567#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=66567"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers_CVE-2026-52989","datePublished":"2026-06-28T03:28:19+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=66567"},"wordCount":517,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","news","Security","tapic","Vulnerability"],"articleSection":["category_cve"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=66567#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=66567","url":"https:\/\/zero.redgem.net\/?p=66567","name":"nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers_CVE-2026-52989 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-28T03:28:19+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=66567#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=66567"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=66567#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers_CVE-2026-52989"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/66567","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=66567"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/66567\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=66567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=66567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=66567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}