APPLIED: [SRU][Q/N/J][PATCH 0/3] CVE-2026-23112
Mehmet Basaran
mehmet.basaran at canonical.com
Fri Apr 10 14:34:39 UTC 2026
Applied to questing:linux, noble:linux, jammy:linux master-next
branches. Thanks.
-------------- next part --------------
Cengiz Can <cengiz.can at canonical.com> writes:
> https://ubuntu.com/security/CVE-2026-23112
>
> [ Impact ]
>
> nvmet_tcp_build_pdu_iovec() can walk past cmd->req.sg when a PDU length
> or offset exceeds sg_cnt, then use bogus sg->length/offset values leading
> to _copy_to_iter() GPF/KASAN. An attacker with access to the NVMe-TCP
> target interface could trigger a kernel crash.
>
>
> [ Fix ]
>
> Cherry-picked from mainline for questing and noble. Adjusted for jammy
> due to older iovec style.
>
>
> [ Test Plan ]
>
> All three kernels were compile-tested and boot-tested. PoC verification
> confirmed the vulnerability is no longer triggerable after the fix.
>
>
> [ Where Problems Could Occur ]
>
> If the bounds checks are incorrect, NVMe-TCP connections could be
> prematurely terminated or the target could become unresponsive. In the
> worst case, a malformed check could still allow out-of-bounds access.
>
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260410/7a921cce/attachment.sig>
More information about the kernel-team
mailing list