Lifecycle Timeline
4DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
nvme-fc: release admin tagset if init fails
nvme_fabrics creates an NVMe/FC controller in following path:
nvmf_dev_write() -> nvmf_create_ctrl() -> nvme_fc_create_ctrl() -> nvme_fc_init_ctrl()
nvme_fc_init_ctrl() allocates the admin blk-mq resources right after nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing the controller state, scheduling connect work, etc.), we jump to the fail_ctrl path, which tears down the controller references but never frees the admin queue/tag set. The leaked blk-mq allocations match the kmemleak report seen during blktests nvme/fc.
Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call nvme_remove_admin_tag_set() when it is set so that all admin queue allocations are reclaimed whenever controller setup aborts.
AnalysisAI
This vulnerability is a resource leak in the Linux kernel's NVMe/FC (NVMe over Fibre Channel) driver where the admin tag set and associated block I/O queue resources fail to be released if controller initialization encounters errors after the admin queue is allocated. The affected product is the Linux kernel across all versions that include the vulnerable nvme-fc code path. An attacker or malicious process could trigger repeated failed NVMe/FC controller initialization attempts to exhaust kernel memory through cumulative tag set leaks, potentially leading to denial of service. This is not actively exploited in the wild (not listed in CISA KEV), but patches are available across multiple kernel branches.
Technical ContextAI
The vulnerability resides in the NVMe/FC (Non-Volatile Memory Express over Fibre Channel) subsystem of the Linux kernel, specifically in the nvme_fc_init_ctrl() function called during controller creation via the nvmf_dev_write()->nvmf_create_ctrl()->nvme_fc_create_ctrl() call chain. The root cause is a missing resource cleanup path: when nvme_add_ctrl() succeeds and admin blk-mq tag set resources are allocated, but subsequent initialization steps fail (such as controller state transitions or connect work scheduling), the code jumps to the fail_ctrl error path which does not invoke nvme_remove_admin_tag_set(). This represents a classic resource leak (CWE-401: Missing Release of Memory after Effective Lifetime). The CVE affects the Linux kernel as identified by CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, impacting any system using the nvme-fc driver for Fibre Channel NVMe connectivity.
RemediationAI
Apply kernel updates that include the nvme-fc admin tag set cleanup patch. Users should upgrade to a kernel version containing one of the five commits referenced in the git.kernel.org/stable repository (commit hashes provided above). Check your Linux distribution's security advisory pages (e.g., kernel.org, Ubuntu Security Notices, Red Hat Security Advisories, SUSE Security Updates) for specific kernel versions that incorporate these fixes. For systems where immediate kernel patching is not feasible, restrict NVMe/FC controller initialization attempts and monitor kernel memory usage via /proc/meminfo and dmesg for repeated kmemleak warnings related to nvme-fc tag set allocations. If systems are not actively using NVMe/FC hardware, consider disabling the nvme-fc module at boot time via kernel command-line parameters until patching can be completed.
More in Linux Kernel
View allLinux kernel contains a flaw known as 'Dirty Pipe' where improper pipe buffer flag initialization allows unprivileged lo
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does no
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate cer
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. Rated high severity (CVSS 7.0). Public ex
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr op
The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allo
Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cau
The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object ref
A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the h
Same technique Denial Of Service
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 5.10.223-1 | - |
| bullseye (security) | vulnerable | 5.10.251-1 | - |
| bookworm | fixed | 6.1.164-1 | - |
| bookworm (security) | fixed | 6.1.164-1 | - |
| trixie | fixed | 6.12.73-1 | - |
| trixie (security) | fixed | 6.12.74-2 | - |
| forky | fixed | 6.19.6-2 | - |
| sid | fixed | 6.19.8-1 | - |
| (unstable) | fixed | 6.18.10-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12896