CVE-2026-52989
Published: 24 June 2026
Summary
CVE-2026-52989 is a critical-severity Detection of Error Condition Without Action (CWE-390) vulnerability in Kernel (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-38857
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the…
more
callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized. Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator. Fix this by shifting the error handling responsibility to the callers.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network PDU handling flaw in exposed nvmet-tcp kernel service enables direct exploitation of a public-facing application for kernel memory corruption/privilegescalation.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires explicit action (alert plus additional responses) on audit logging failures rather than detecting the error condition without acting.
The control mandates response actions to address results from monitoring and assessments, preventing detection of error conditions without subsequent corrective action.
Procedures require detection of error/incident conditions followed by defined response actions.
IR testing verifies that detected error conditions trigger appropriate response actions rather than being ignored.
The containment, eradication, and recovery steps ensure detected incidents trigger concrete actions rather than no response.
Provides assistance for handling incidents, ensuring detected error conditions lead to appropriate user actions rather than inaction.
Requires response actions to analysis of monitoring data, directly preventing detection of error conditions without follow-up action.
Reporting on security performance measures requires confirming that detected error conditions trigger appropriate actions rather than being ignored.