CVE-2026-22998

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-22998
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22998.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-22998
Downstream
Related
Published
2026-01-25T14:36:12.935Z
Modified
2026-05-07T04:18:18.059710Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Details

In the Linux kernel, the following vulnerability has been resolved:

nvme-tcp: fix NULL pointer dereferences in nvmettcpbuildpduiovec

Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and dataoffset validation in nvmettcphandleh2cdatapdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs.

The nvmettcpbuildpduiovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command.

Attack vectors that trigger NULL pointer dereferences: 1. H2CDATA PDU sent before CONNECT → both pointers NULL 2. H2CDATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL

The fix validates both cmd->req.sg and cmd->iov before calling nvmettcpbuildpduiovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22998.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f775f2621c2ac5cc3a0b3a64665dad4fb146e510
Fixed
baabe43a0edefac8cd7b981ff87f967f6034dafe
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d
Fixed
76abc83a9d25593c2b7613c549413079c14a4686
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2871aa407007f6f531fae181ad252486e022df42
Fixed
7d75570002929d20e40110d6b03e46202c9d1bc7
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
24e05760186dc070d3db190ca61efdbce23afc88
Fixed
fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
efa56305908ba20de2104f1b8508c6a7401833be
Fixed
3def5243150716be86599c2a1767c29c68838b6d
Fixed
374b095e265fa27465f34780e0eb162ff1bef913
Fixed
32b63acd78f577b332d976aa06b56e70d054cbba
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
ee5e7632e981673f42a50ade25e71e612e543d9d
Last affected
70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22998.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.249
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.199
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.162
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.122
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.67
Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.18.7

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22998.json"