{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-25T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec",
    "id" : "2432671",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2432671"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec\nCommit efa56305908b (\"nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\")\nadded ttag bounds checking and data_offset\nvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate\nwhether the command's data structures (cmd->req.sg and cmd->iov) have\nbeen properly initialized before processing H2C_DATA PDUs.\nThe nvmet_tcp_build_pdu_iovec() function dereferences these pointers\nwithout NULL checks. This can be triggered by sending H2C_DATA PDU\nimmediately after the ICREQ/ICRESP handshake, before\nsending a CONNECT command or NVMe write command.\nAttack vectors that trigger NULL pointer dereferences:\n1. H2C_DATA PDU sent before CONNECT → both pointers NULL\n2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL\n3. H2C_DATA PDU for uninitialized command slot → both pointers NULL\nThe fix validates both cmd->req.sg and cmd->iov before calling\nnvmet_tcp_build_pdu_iovec(). Both checks are required because:\n- Uninitialized commands: both NULL\n- READ commands: cmd->req.sg allocated, cmd->iov NULL\n- WRITE commands: both allocated" ],
  "statement" : "A NULL-pointer dereference in the NVMe/TCP target path occurs because nvmet_tcp_build_pdu_iovec() can be called when cmd.req.sg and/or cmd.iov are not initialized. A remote host can trigger this by sending an out-of-order H2C_DATA PDU immediately after the ICREQ/ICRESP handshake (e.g., before CONNECT), causing a kernel crash (DoS). Privileges are typically not required beyond network reachability to the NVMe/TCP target.\nNVMe/TCP targets are typically deployed inside isolated storage or data-center networks and are not exposed to the public Internet. In practice, exploitation usually requires access to a local or trusted internal network where NVMe/TCP is used for remote memory or storage access over TCP.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2721",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.38.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-10T00:00:00Z",
    "advisory" : "RHSA-2026:2378",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.104.1.rt7.445.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-09T00:00:00Z",
    "advisory" : "RHSA-2026:2264",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.104.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2722",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.34.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2722",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.34.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-22998\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22998\nhttps://lore.kernel.org/linux-cve-announce/2026012533-CVE-2026-22998-8392@gregkh/T" ],
  "name" : "CVE-2026-22998",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module nvmet-tcp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically. By default it is disabled in Red Hat Enterprise Linux and only root user can enable it.",
    "lang" : "en:us"
  },
  "csaw" : false
}