CVE-2026-23112

moderate-risk

Published 2026-02-13

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.

Do I need to act?

0.08% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 043b4307a99f902697349128fde93b2ddde4686c, 42afe8ed8ad2de9c19457156244ef3e1eca94b5d, 1385be357e8acd09b36e026567f3a9d5c61139de, dca1a6ba0da9f472ef040525fab10fd9956db59f, 19672ae68d52ff75347ebe2420dde1b07adca09f, ab200d71553bdcf4de554a5985b05b2dd606bc57, 52a0a98549344ca20ad81a4176d68d28e3c05a5c

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (9)

Linux Kernel

Affected Vendors

Linux

References (7)

Patch https://git.kernel.org/stable/c/043b4307a99f902697349128fde93b2ddde4686c

Patch https://git.kernel.org/stable/c/1385be357e8acd09b36e026567f3a9d5c61139de

Patch https://git.kernel.org/stable/c/19672ae68d52ff75347ebe2420dde1b07adca09f

Patch https://git.kernel.org/stable/c/42afe8ed8ad2de9c19457156244ef3e1eca94b5d

Patch https://git.kernel.org/stable/c/52a0a98549344ca20ad81a4176d68d28e3c05a5c

Patch https://git.kernel.org/stable/c/ab200d71553bdcf4de554a5985b05b2dd606bc57

Patch https://git.kernel.org/stable/c/dca1a6ba0da9f472ef040525fab10fd9956db59f

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 0/34 · Minimal

Exposure 15/34 · Moderate