{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-02T19:23:01.929","vulnerabilities":[{"cve":{"id":"CVE-2026-22998","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-01-25T15:15:54.643","lastModified":"2026-04-27T14:16:28.597","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec\n\nCommit efa56305908b (\"nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\")\nadded ttag bounds checking and data_offset\nvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate\nwhether the command's data structures (cmd->req.sg and cmd->iov) have\nbeen properly initialized before processing H2C_DATA PDUs.\n\nThe nvmet_tcp_build_pdu_iovec() function dereferences these pointers\nwithout NULL checks. This can be triggered by sending H2C_DATA PDU\nimmediately after the ICREQ/ICRESP handshake, before\nsending a CONNECT command or NVMe write command.\n\nAttack vectors that trigger NULL pointer dereferences:\n1. H2C_DATA PDU sent before CONNECT → both pointers NULL\n2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL\n3. H2C_DATA PDU for uninitialized command slot → both pointers NULL\n\nThe fix validates both cmd->req.sg and cmd->iov before calling\nnvmet_tcp_build_pdu_iovec(). Both checks are required because:\n- Uninitialized commands: both NULL\n- READ commands: cmd->req.sg allocated, cmd->iov NULL\n- WRITE commands: both allocated"},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnvme-tcp: soluciona desreferencias de puntero NULL en nvmet_tcp_build_pdu_iovec\n\nEl commit efa56305908b ('nvmet-tcp: Soluciona un pánico del kernel cuando el host envía una longitud de PDU H2C inválida') añadió la comprobación de límites de ttag y la validación de data_offset en nvmet_tcp_handle_h2c_data_pdu(), pero no validó si las estructuras de datos del comando (cmd->req.sg y cmd->iov) han sido inicializadas correctamente antes de procesar las PDUs H2C_DATA.\n\nLa función nvmet_tcp_build_pdu_iovec() desreferencia estos punteros sin comprobaciones de NULL. Esto puede ser provocado enviando una PDU H2C_DATA inmediatamente después del handshake ICREQ/ICRESP, antes de enviar un comando CONNECT o un comando de escritura NVMe.\n\nVectores de ataque que provocan desreferencias de puntero NULL:\n1. PDU H2C_DATA enviada antes de CONNECT ? ambos punteros NULL\n2. PDU H2C_DATA para comando READ ? cmd->req.sg asignado, cmd->iov NULL\n3. PDU H2C_DATA para slot de comando no inicializado ? ambos punteros NULL\n\nLa solución valida tanto cmd->req.sg como cmd->iov antes de llamar a nvmet_tcp_build_pdu_iovec(). Ambas comprobaciones son necesarias porque:\n- Comandos no inicializados: ambos NULL\n- Comandos READ: cmd->req.sg asignado, cmd->iov NULL\n- Comandos WRITE: ambos asignados"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.268","versionEndExcluding":"5.5","matchCriteriaId":"2E4BEAC0-E873-440D-A75E-55699C2412A4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.209","versionEndExcluding":"5.10.249","matchCriteriaId":"B6983E9C-F8A9-4494-8156-3E2F7E736BF8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.148","versionEndExcluding":"5.15.199","matchCriteriaId":"B0275B58-DF8C-46AE-B9A5-20396D123D12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.75","versionEndExcluding":"6.1.162","matchCriteriaId":"9DE91ACC-6DAF-42AE-8D41-3A91572E9052"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.14","versionEndExcluding":"6.6.122","matchCriteriaId":"68AE0BF9-0835-45D8-AACC-EDFAC1663259"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.2","versionEndExcluding":"6.12.67","matchCriteriaId":"2B14F508-4490-4A35-BEFC-40EF300279E7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.7","matchCriteriaId":"99FF3E05-0E7A-44E9-8E47-BF6F1F8EC436"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}