[SRU][Q/N/J][PATCH 0/3] CVE-2026-23112
Cengiz Can
cengiz.can at canonical.com
Mon Apr 6 10:51:15 UTC 2026
https://ubuntu.com/security/CVE-2026-23112
[ Impact ]
nvmet_tcp_build_pdu_iovec() can walk past cmd->req.sg when a PDU length
or offset exceeds sg_cnt, then use bogus sg->length/offset values leading
to _copy_to_iter() GPF/KASAN. An attacker with access to the NVMe-TCP
target interface could trigger a kernel crash.
[ Fix ]
Cherry-picked from mainline for questing and noble. Adjusted for jammy
due to older iovec style.
[ Test Plan ]
All three kernels were compile-tested and boot-tested. PoC verification
confirmed the vulnerability is no longer triggerable after the fix.
[ Where Problems Could Occur ]
If the bounds checks are incorrect, NVMe-TCP connections could be
prematurely terminated or the target could become unresponsive. In the
worst case, a malformed check could still allow out-of-bounds access.
More information about the kernel-team
mailing list