Is there a patch available for CVE-2026-23261?

Yes, a patch is available for CVE-2026-23261. Update the affected software to the latest version immediately.

Linux Kernel CVE-2026-23261

EUVD-2026-12896

2026-03-18 Linux

Denial Of Service Linux Memory Corruption Debian Linux Kernel

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 18, 2026 - 18:00 euvd

EUVD-2026-12896

Analysis Generated

Mar 18, 2026 - 18:00 vuln.today

CVE Published

Mar 18, 2026 - 17:41 nvd

N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

nvme-fc: release admin tagset if init fails

nvme_fabrics creates an NVMe/FC controller in following path:

nvmf_dev_write() -> nvmf_create_ctrl() -> nvme_fc_create_ctrl() -> nvme_fc_init_ctrl()

nvme_fc_init_ctrl() allocates the admin blk-mq resources right after nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing the controller state, scheduling connect work, etc.), we jump to the fail_ctrl path, which tears down the controller references but never frees the admin queue/tag set. The leaked blk-mq allocations match the kmemleak report seen during blktests nvme/fc.

Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call nvme_remove_admin_tag_set() when it is set so that all admin queue allocations are reclaimed whenever controller setup aborts.

AnalysisAI

This vulnerability is a resource leak in the Linux kernel's NVMe/FC (NVMe over Fibre Channel) driver where the admin tag set and associated block I/O queue resources fail to be released if controller initialization encounters errors after the admin queue is allocated. The affected product is the Linux kernel across all versions that include the vulnerable nvme-fc code path. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-47269 HIGH This Week

7.4 May 27

Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH

CVE-2026-47334 MEDIUM This Month

5.5 May 28

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect

CVE-2026-47335 MEDIUM This Month

5.5 May 28

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic

CVE-2026-47271 MEDIUM This Month

5.1 May 27

pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently str

CVE-2026-47327 LOW Monitor

3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th

Vendor StatusVendor

Debian

linux

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	5.10.223-1	-
bullseye (security)	vulnerable	5.10.251-1	-
bookworm	fixed	6.1.164-1	-
bookworm (security)	fixed	6.1.164-1	-
trixie	fixed	6.12.73-1	-
trixie (security)	fixed	6.12.74-2	-
forky	fixed	6.19.6-2	-
sid	fixed	6.19.8-1	-
(unstable)	fixed	6.18.10-1	-

CVE-2026-23261 vulnerability details – vuln.today

Back