CVE-2026-52989
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk26th percentile — higher than 26% of all known CVEs
Summary
In the Linux kernel, in the NVMe-over-TCP subsystem (nvmet-tcp), a vulnerability was found where the nvmet_tcp_build_pdu_iovec() function does not propagate errors to its callers when an invalid PDU length or offset is detected. The function returns void and leaves the message iterator uninitialized on error, potentially leading to reading network data into uninitialized memory.
Risk Assessment
The risk involves the kernel potentially reading network data into uninitialized memory, which could lead to information disclosure or system crash. An attacker could exploit this to destabilize an NVMe-over-TCP server.
Recommendation
Immediately update the Linux kernel to a version containing the fix that shifts error handling to the callers. Monitor official security advisories from your Linux distribution.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized. Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator. Fix this by shifting the error handling responsibility to the callers.

