Cyber Resilience

CVE-2026-23112

CriticalUpdated

Published: 13 February 2026

Published
13 February 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 31.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23112 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23112 is a high-severity vulnerability in the Linux kernel's nvmet-tcp subsystem, specifically in the nvmet_tcp_build_pdu_iovec() function. This flaw arises from missing bounds checks, allowing the function to iterate beyond the cmd->req.sg scatter-gather array when a PDU length or offset exceeds the sg_cnt. As a result, it accesses invalid sg->length and sg->offset values, which are then passed to _copy_to_iter(), potentially triggering a general protection fault (GPF) or KASAN-detected memory corruption. The issue is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 9.8.

A remote, unauthenticated attacker (AV:N/AC:L/PR:N/UI:N) can exploit this vulnerability over the network by sending crafted NVMe/TCP PDUs to a Linux system configured as an NVMe target. Successful exploitation leads to high-impact effects on confidentiality, integrity, and availability (C:H/I:H/A:H), including kernel crashes via GPF, memory corruption detectable by KASAN, or potential arbitrary code execution due to the mishandling of bogus scatter-gather entries in the bvec construction.

The referenced stable kernel patches address the issue by adding bounds checks on sg_idx, remaining entries, and sg->length/offset values prior to bvec construction. These fixes are available in the following commits: 043b4307a99f902697349128fde93b2ddde4686c, 1385be357e8acd09b36e026567f3a9d5c61139de, 19672ae68d52ff75347ebe2420dde1b07adca09f, 42afe8ed8ad2de9c19457156244ef3e1eca94b5d, and 52a0a98549344ca20ad81a4176d68d28e3c05a5c. Security practitioners should apply these updates to affected kernel versions hosting nvmet-tcp targets.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard…

more

sg_idx, remaining entries, and sg->length/offset before building the bvec.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Remote unauthenticated network exploit of NVMe/TCP target service via crafted PDUs enables T1190; kernel memory corruption/RCE yields privilege escalation to ring-0 via T1068.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31705Same product: Linux Linux Kernel
CVE-2022-49062Same product: Linux Linux Kernel
CVE-2023-52980Same product: Linux Linux Kernel
CVE-2021-47642Same product: Linux Linux Kernel
CVE-2022-49581Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2025-71092Same product: Linux Linux Kernel
CVE-2025-21724Same product: Linux Linux Kernel
CVE-2026-23078Same product: Linux Linux Kernel
CVE-2026-31780Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 5.0 — 5.10.250 · 5.11 — 5.15.200 · 5.16 — 6.1.163

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates CVE-2026-23112 by applying kernel patches that add the missing bounds checks in nvmet_tcp_build_pdu_iovec().

prevent

Information input validation enforces bounds checks on PDU lengths, offsets, and scatter-gather entries to prevent out-of-bounds access in the nvmet-tcp subsystem.

detect

Memory protection mechanisms like KASAN detect invalid memory accesses from bogus sg->length/offset values passed to _copy_to_iter().

References