CVE-2026-23148
Published: 14 February 2026
Summary
CVE-2026-23148 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-23148 is a race condition vulnerability in the Linux kernel's NVMe target (nvmet) subsystem, specifically within the nvmet_bio_done() function. This flaw can lead to a NULL pointer dereference in blk_cgroup_bio_start(). The issue arises when a bio completes, triggering nvmet_req_complete() which invokes a queue_response callback that may re-queue and re-submit the request using the same inline_bio. Concurrently, nvmet_req_bio_put() calls bio_uninit() on that bio, setting bio->bi_blkg to NULL. The re-submitted bio then reaches submit_bio_noacct_nocheck(), where blk_cgroup_bio_start() attempts to dereference the now-NULL bi_blkg, resulting in a kernel crash.
A remote network attacker with no privileges or user interaction required (CVSSv3.1: 7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) can exploit this vulnerability. By interacting with an nvmet-enabled system via NVMe over Fabrics, the attacker can trigger the race condition through bio completion and request re-submission timing, causing a kernel NULL pointer dereference and system denial of service via crash, as evidenced by the kernel panic trace involving blk_cgroup_bio_start(), submit_bio_noacct_nocheck(), and nvmet_bdev_execute_rw().
Mitigation is provided via kernel patches in stable releases, available at kernel.org git commits such as 0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e, 68207ceefd71cc74ce4e983fa9bd10c3122e349b, and ee10b06980acca1d46e0fa36d6fb4a9578eab6e4. These reorder operations in nvmet_bio_done() to invoke nvmet_req_bio_put() before nvmet_req_complete(), ensuring the bio is cleaned up prior to any potential re-submission and preventing the race. Security practitioners should apply these updates to affected Linux kernels exposing nvmet.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5887
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference There is a race condition in nvmet_bio_done() that can cause a NULL pointer dereference in blk_cgroup_bio_start(): 1. nvmet_bio_done() is called…
more
when a bio completes 2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req) 3. The queue_response callback can re-queue and re-submit the same request 4. The re-submission reuses the same inline_bio from nvmet_req 5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete) invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL 6. The re-submitted bio enters submit_bio_noacct_nocheck() 7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash: BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode RIP: 0010:blk_cgroup_bio_start+0x10/0xd0 Call Trace: submit_bio_noacct_nocheck+0x44/0x250 nvmet_bdev_execute_rw+0x254/0x370 [nvmet] process_one_work+0x193/0x3c0 worker_thread+0x281/0x3a0 Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put() BEFORE nvmet_req_complete(). This ensures the bio is cleaned up before the request can be re-submitted, preventing the race condition.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote exploitation of exposed NVMe-oF target service leads directly to system crash via kernel NULL dereference (Endpoint DoS via system exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and correction of flaws, directly enabling application of kernel patches that reorder operations in nvmet_bio_done() to eliminate the race condition causing the NULL pointer dereference.
Monitors and controls communications at system boundaries, restricting unauthorized network access to NVMe over Fabrics ports and preventing remote triggering of the nvmet race condition.
Configures the system to provide only essential capabilities, allowing disablement of the nvmet kernel module if not required to avoid execution of the vulnerable code path.