CVE-2026-23148
Published: 14 February 2026
Summary
CVE-2026-23148 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote exploitation of exposed NVMe-oF target service leads directly to system crash via kernel NULL dereference (Endpoint DoS via system exploitation).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference There is a race condition in nvmet_bio_done() that can cause a NULL pointer dereference in blk_cgroup_bio_start(): 1. nvmet_bio_done() is called…
more
when a bio completes 2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req) 3. The queue_response callback can re-queue and re-submit the same request 4. The re-submission reuses the same inline_bio from nvmet_req 5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete) invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL 6. The re-submitted bio enters submit_bio_noacct_nocheck() 7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash: BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode RIP: 0010:blk_cgroup_bio_start+0x10/0xd0 Call Trace: submit_bio_noacct_nocheck+0x44/0x250 nvmet_bdev_execute_rw+0x254/0x370 [nvmet] process_one_work+0x193/0x3c0 worker_thread+0x281/0x3a0 Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put() BEFORE nvmet_req_complete(). This ensures the bio is cleaned up before the request can be re-submitted, preventing the race condition.
Deeper analysisAI
CVE-2026-23148 is a race condition vulnerability in the Linux kernel's NVMe target (nvmet) subsystem, specifically within the nvmet_bio_done() function. This flaw can lead to a NULL pointer dereference in blk_cgroup_bio_start(). The issue arises when a bio completes, triggering nvmet_req_complete() which invokes a queue_response callback that may re-queue and re-submit the request using the same inline_bio. Concurrently, nvmet_req_bio_put() calls bio_uninit() on that bio, setting bio->bi_blkg to NULL. The re-submitted bio then reaches submit_bio_noacct_nocheck(), where blk_cgroup_bio_start() attempts to dereference the now-NULL bi_blkg, resulting in a kernel crash.
A remote network attacker with no privileges or user interaction required (CVSSv3.1: 7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) can exploit this vulnerability. By interacting with an nvmet-enabled system via NVMe over Fabrics, the attacker can trigger the race condition through bio completion and request re-submission timing, causing a kernel NULL pointer dereference and system denial of service via crash, as evidenced by the kernel panic trace involving blk_cgroup_bio_start(), submit_bio_noacct_nocheck(), and nvmet_bdev_execute_rw().
Mitigation is provided via kernel patches in stable releases, available at kernel.org git commits such as 0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e, 68207ceefd71cc74ce4e983fa9bd10c3122e349b, and ee10b06980acca1d46e0fa36d6fb4a9578eab6e4. These reorder operations in nvmet_bio_done() to invoke nvmet_req_bio_put() before nvmet_req_complete(), ensuring the bio is cleaned up prior to any potential re-submission and preventing the race. Security practitioners should apply these updates to affected Linux kernels exposing nvmet.
Details
- CWE(s)