CVE-2026-23112
Published: 13 February 2026
Summary
CVE-2026-23112 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2026-23112 by applying kernel patches that add the missing bounds checks in nvmet_tcp_build_pdu_iovec().
Information input validation enforces bounds checks on PDU lengths, offsets, and scatter-gather entries to prevent out-of-bounds access in the nvmet-tcp subsystem.
Memory protection mechanisms like KASAN detect invalid memory accesses from bogus sg->length/offset values passed to _copy_to_iter().
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploit of NVMe/TCP target service via crafted PDUs enables T1190; kernel memory corruption/RCE yields privilege escalation to ring-0 via T1068.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard…
more
sg_idx, remaining entries, and sg->length/offset before building the bvec.
Deeper analysisAI
CVE-2026-23112 is a high-severity vulnerability in the Linux kernel's nvmet-tcp subsystem, specifically in the nvmet_tcp_build_pdu_iovec() function. This flaw arises from missing bounds checks, allowing the function to iterate beyond the cmd->req.sg scatter-gather array when a PDU length or offset exceeds the sg_cnt. As a result, it accesses invalid sg->length and sg->offset values, which are then passed to _copy_to_iter(), potentially triggering a general protection fault (GPF) or KASAN-detected memory corruption. The issue is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 9.8.
A remote, unauthenticated attacker (AV:N/AC:L/PR:N/UI:N) can exploit this vulnerability over the network by sending crafted NVMe/TCP PDUs to a Linux system configured as an NVMe target. Successful exploitation leads to high-impact effects on confidentiality, integrity, and availability (C:H/I:H/A:H), including kernel crashes via GPF, memory corruption detectable by KASAN, or potential arbitrary code execution due to the mishandling of bogus scatter-gather entries in the bvec construction.
The referenced stable kernel patches address the issue by adding bounds checks on sg_idx, remaining entries, and sg->length/offset values prior to bvec construction. These fixes are available in the following commits: 043b4307a99f902697349128fde93b2ddde4686c, 1385be357e8acd09b36e026567f3a9d5c61139de, 19672ae68d52ff75347ebe2420dde1b07adca09f, 42afe8ed8ad2de9c19457156244ef3e1eca94b5d, and 52a0a98549344ca20ad81a4176d68d28e3c05a5c. Security practitioners should apply these updates to affected kernel versions hosting nvmet-tcp targets.
Details
- CWE(s)