CVE-2026-22998
Published: 25 January 2026
Summary
CVE-2026-22998 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of the NVMe-TCP target vulnerability causes kernel panic and system crash, matching Endpoint DoS via Application or System Exploitation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in…
more
nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated
Deeper analysisAI
CVE-2026-22998 is a NULL pointer dereference vulnerability in the Linux kernel's NVMe-over-TCP target implementation, specifically within the nvmet_tcp_build_pdu_iovec() function. This issue arises because prior changes added bounds checking and validation for H2C_DATA PDUs but failed to verify if the command's data structures, cmd->req.sg and cmd->iov, were properly initialized before dereferencing them. It affects Linux kernels supporting the NVMe-TCP target, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-476.
Remote attackers with network access to an NVMe-TCP target can exploit this vulnerability without privileges by sending crafted H2C_DATA PDUs immediately after the ICREQ/ICRESP handshake, before a CONNECT command or NVMe write command is processed. Exploitation scenarios include sending H2C_DATA before CONNECT (both pointers NULL), for a READ command (cmd->req.sg allocated but cmd->iov NULL), or for an uninitialized command slot (both pointers NULL). Successful exploitation triggers kernel crashes or panics, resulting in denial of service.
Mitigation is provided through upstream kernel patches that add explicit NULL checks for both cmd->req.sg and cmd->iov before invoking nvmet_tcp_build_pdu_iovec(), addressing all identified vectors: uninitialized commands (both NULL), READ commands (cmd->req.sg only), and WRITE commands (both allocated). Relevant stable kernel commits include 32b63acd78f577b332d976aa06b56e70d054cbba, 374b095e265fa27465f34780e0eb162ff1bef913, 3def5243150716be86599c2a1767c29c68838b6d, 76abc83a9d25593c2b7613c549413079c14a4686, and 7d75570002929d20e40110d6b03e46202c9d1bc7, available at git.kernel.org.
Details
- CWE(s)