CVE-2026-52989
Description
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds
PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue)
and returns early. However, because the function returns void, the
callers are entirely unaware that a fatal error has occurred and
that the cmd->recv_msg.msg_iter was left uninitialized.
Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly
overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA
Consequently, the socket receiving loop may attempt to read incoming
network data into the uninitialized iterator.
Fix this by shifting the error handling responsibility to the callers.
Metadata
Severity & Metrics
No CVSS data available.
Affected products (2)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Linux | Linux | — | 1385be357e8acd09b36e026567f3a9d5c61139de < 3df42a854686fa06484e37ac1a3931c8e3e3453c, dca1a6ba0da9f472ef040525fab10fd9956db59f < d7c8f95f599b3b38a717d2e771c3f8c174f657c3, 19672ae68d52ff75347ebe2420dde1b07adca09f < f9204a2b78dd18374d3bcf9bf93d9021ce22de1b, ab200d71553bdcf4de554a5985b05b2dd606bc57 < c2a11441538bdbbc5aa003f190995eba93a89b88 … |
| Linux | Linux | — | 6.19, 0 < 6.19, 6.1.175 ≤ 6.1.*, 6.6.141 ≤ 6.6.* … |
References (6)
- https://git.kernel.org/stable/c/3df42a854686fa06484e37ac1a3931c8e3e3453c
- https://git.kernel.org/stable/c/d7c8f95f599b3b38a717d2e771c3f8c174f657c3
- https://git.kernel.org/stable/c/f9204a2b78dd18374d3bcf9bf93d9021ce22de1b
- https://git.kernel.org/stable/c/c2a11441538bdbbc5aa003f190995eba93a89b88
- https://git.kernel.org/stable/c/046fa5c72d15cd8e2d592e275697ea399d8f76b0
- https://git.kernel.org/stable/c/ea8e356acb165cb1fd75537a52e1f66e5e76c538