ACK: [SRU][Q/N/J][PATCH 0/3] CVE-2026-23112
Manuel Diewald
manuel.diewald at canonical.com
Mon Apr 6 12:27:01 UTC 2026
On Mon, Apr 06, 2026 at 01:51:15PM +0300, Cengiz Can wrote:
> https://ubuntu.com/security/CVE-2026-23112
>
> [ Impact ]
>
> nvmet_tcp_build_pdu_iovec() can walk past cmd->req.sg when a PDU length
> or offset exceeds sg_cnt, then use bogus sg->length/offset values leading
> to _copy_to_iter() GPF/KASAN. An attacker with access to the NVMe-TCP
> target interface could trigger a kernel crash.
>
>
> [ Fix ]
>
> Cherry-picked from mainline for questing and noble. Adjusted for jammy
> due to older iovec style.
>
>
> [ Test Plan ]
>
> All three kernels were compile-tested and boot-tested. PoC verification
> confirmed the vulnerability is no longer triggerable after the fix.
>
>
> [ Where Problems Could Occur ]
>
> If the bounds checks are incorrect, NVMe-TCP connections could be
> prematurely terminated or the target could become unresponsive. In the
> worst case, a malformed check could still allow out-of-bounds access.
>
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Manuel Diewald <manuel.diewald at canonical.com>
--
Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260406/ea33cf2f/attachment.sig>
More information about the kernel-team
mailing list