Skip to main content

Linux Kernel CVE-2026-23261

| EUVDEUVD-2026-12896
2026-03-18 Linux

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 18:00 euvd
EUVD-2026-12896
Analysis Generated
Mar 18, 2026 - 18:00 vuln.today
CVE Published
Mar 18, 2026 - 17:41 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nvme-fc: release admin tagset if init fails

nvme_fabrics creates an NVMe/FC controller in following path:

nvmf_dev_write() -> nvmf_create_ctrl() -> nvme_fc_create_ctrl() -> nvme_fc_init_ctrl()

nvme_fc_init_ctrl() allocates the admin blk-mq resources right after nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing the controller state, scheduling connect work, etc.), we jump to the fail_ctrl path, which tears down the controller references but never frees the admin queue/tag set. The leaked blk-mq allocations match the kmemleak report seen during blktests nvme/fc.

Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call nvme_remove_admin_tag_set() when it is set so that all admin queue allocations are reclaimed whenever controller setup aborts.

AnalysisAI

This vulnerability is a resource leak in the Linux kernel's NVMe/FC (NVMe over Fibre Channel) driver where the admin tag set and associated block I/O queue resources fail to be released if controller initialization encounters errors after the admin queue is allocated. The affected product is the Linux kernel across all versions that include the vulnerable nvme-fc code path. An attacker or malicious process could trigger repeated failed NVMe/FC controller initialization attempts to exhaust kernel memory through cumulative tag set leaks, potentially leading to denial of service. This is not actively exploited in the wild (not listed in CISA KEV), but patches are available across multiple kernel branches.

Technical ContextAI

The vulnerability resides in the NVMe/FC (Non-Volatile Memory Express over Fibre Channel) subsystem of the Linux kernel, specifically in the nvme_fc_init_ctrl() function called during controller creation via the nvmf_dev_write()->nvmf_create_ctrl()->nvme_fc_create_ctrl() call chain. The root cause is a missing resource cleanup path: when nvme_add_ctrl() succeeds and admin blk-mq tag set resources are allocated, but subsequent initialization steps fail (such as controller state transitions or connect work scheduling), the code jumps to the fail_ctrl error path which does not invoke nvme_remove_admin_tag_set(). This represents a classic resource leak (CWE-401: Missing Release of Memory after Effective Lifetime). The CVE affects the Linux kernel as identified by CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, impacting any system using the nvme-fc driver for Fibre Channel NVMe connectivity.

RemediationAI

Apply kernel updates that include the nvme-fc admin tag set cleanup patch. Users should upgrade to a kernel version containing one of the five commits referenced in the git.kernel.org/stable repository (commit hashes provided above). Check your Linux distribution's security advisory pages (e.g., kernel.org, Ubuntu Security Notices, Red Hat Security Advisories, SUSE Security Updates) for specific kernel versions that incorporate these fixes. For systems where immediate kernel patching is not feasible, restrict NVMe/FC controller initialization attempts and monitor kernel memory usage via /proc/meminfo and dmesg for repeated kmemleak warnings related to nvme-fc tag set allocations. If systems are not actively using NVMe/FC hardware, consider disabling the nvme-fc module at boot time via kernel command-line parameters until patching can be completed.

CVE-2022-0847 HIGH POC
7.8 Mar 10

Linux kernel contains a flaw known as 'Dirty Pipe' where improper pipe buffer flag initialization allows unprivileged lo

CVE-2015-1328 HIGH POC
7.8 Nov 28

The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does no

CVE-2017-7308 HIGH POC
7.8 Mar 29

The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate cer

CVE-2017-16995 HIGH POC
7.8 Dec 27

The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial

CVE-2017-1000112 HIGH POC
7.0 Oct 05

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. Rated high severity (CVSS 7.0). Public ex

CVE-2015-8660 MEDIUM POC
6.7 Dec 28

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr op

CVE-2012-0056 MEDIUM POC
6.9 Jan 27

The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when

CVE-2014-0038 MEDIUM POC
6.9 Feb 06

The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allo

CVE-2016-8655 HIGH POC
7.8 Dec 08

Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cau

CVE-2016-0728 HIGH POC
7.8 Feb 08

The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object ref

CVE-2017-0561 CRITICAL POC
9.8 Apr 07

A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary

CVE-2022-2588 MEDIUM POC
5.3 Jan 08

It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the h

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm fixed 6.1.164-1 -
bookworm (security) fixed 6.1.164-1 -
trixie fixed 6.12.73-1 -
trixie (security) fixed 6.12.74-2 -
forky fixed 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) fixed 6.18.10-1 -

Share

CVE-2026-23261 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy