CVE-2026-22998

UNKNOWN
中文标题:
(暂无数据)
英文标题:
In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dere
CVSS分数: N/A
发布时间: 2026-01-25 15:15:54
漏洞类型: (暂无数据)
状态: PUBLISHED
数据质量分数: 0.40
数据版本: v2
漏洞描述
中文描述:

(暂无数据)

英文描述:

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated

CWE类型:
(暂无数据)
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
Linux Linux ee5e7632e981673f42a50ade25e71e612e543d9d - - cpe:2.3:a:linux:linux:ee5e7632e981673f42a50ade25e71e612e543d9d:*:*:*:*:*:*:*
Linux Linux f775f2621c2ac5cc3a0b3a64665dad4fb146e510 - - cpe:2.3:a:linux:linux:f775f2621c2ac5cc3a0b3a64665dad4fb146e510:*:*:*:*:*:*:*
Linux Linux 4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d - - cpe:2.3:a:linux:linux:4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d:*:*:*:*:*:*:*
Linux Linux 2871aa407007f6f531fae181ad252486e022df42 - - cpe:2.3:a:linux:linux:2871aa407007f6f531fae181ad252486e022df42:*:*:*:*:*:*:*
Linux Linux 24e05760186dc070d3db190ca61efdbce23afc88 - - cpe:2.3:a:linux:linux:24e05760186dc070d3db190ca61efdbce23afc88:*:*:*:*:*:*:*
Linux Linux 70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68 - - cpe:2.3:a:linux:linux:70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68:*:*:*:*:*:*:*
Linux Linux 6.8 - - cpe:2.3:a:linux:linux:6.8:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
416baaa9-dc9f-4396-8d5f-8c081fb06d67 OTHER
nvd.nist.gov
访问
416baaa9-dc9f-4396-8d5f-8c081fb06d67 OTHER
nvd.nist.gov
访问
416baaa9-dc9f-4396-8d5f-8c081fb06d67 OTHER
nvd.nist.gov
访问
CVSS评分详情
暂无CVSS评分信息
时间信息
发布时间:
2026-01-25 15:15:54
修改时间:
2026-01-25 15:15:54
创建时间:
2026-01-26 02:11:30
更新时间:
2026-01-27 06:00:17
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
NVD nvd_CVE-2026-22998 2026-01-26 02:00:05 2026-01-25 18:11:30
CVE cve_CVE-2026-22998 2026-01-26 02:40:10 2026-01-25 22:00:01
版本与语言
当前版本: v2
主要语言: EN
支持语言:
EN
安全公告
暂无安全公告信息
变更历史
v2 CVE
2026-01-26 06:00:01
affected_products_count: 0 → 7; data_sources: ['nvd'] → ['cve', 'nvd']
查看详细变更
  • affected_products_count: 0 -> 7
  • data_sources: ['nvd'] -> ['cve', 'nvd']