Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID.
An attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine.
AnalysisAI
NVMe/TCP targets are vulnerable to unauthenticated denial of service when a remote attacker sends a CONNECT command with an invalid CNTLID, triggering a kernel panic on the exposed system. The vulnerability exploits a null pointer dereference that allows any network-accessible attacker to crash the target without authentication. No patch is currently available for this high-severity flaw.
Technical ContextAI
NVMe/TCP (NVMe over Fabrics using TCP) is a protocol specification that extends NVMe (Non-Volatile Memory Express) functionality over network transports, enabling remote block storage access. FreeBSD implements an NVMe/TCP target (server-side) that accepts client connections to provision remote storage. The vulnerability stems from a null pointer dereference (CWE-476) in the CONNECT command handler for I/O queues when processing a CNTLID parameter that is either invalid, expired, or not yet initialized. The NVMe/TCP specification defines the CONNECT command as the mechanism for clients to establish queue pairs; improper validation of the CNTLID field fails to check if the referenced controller exists or is valid before dereferencing it in kernel memory, triggering a panic. The affected product is FreeBSD across all versions with NVMe/TCP target support enabled (CPE: cpe:2.3:a:freebsd:freebsd:*:*:*:*:*:*:*:*).
RemediationAI
Immediately apply the security patch provided in FreeBSD security advisory FreeBSD-SA-26:07.nvmf (https://security.freebsd.org/advisories/FreeBSD-SA-26:07.nvmf.asc) by upgrading to the patched FreeBSD release version specified in the advisory. As an interim mitigation for systems unable to patch immediately, restrict network access to NVMe/TCP target ports (typically TCP port 4420) using firewall rules or network segmentation, allowing connections only from trusted, authenticated client networks. Disable NVMe/TCP target services entirely if not actively required for business operations. Monitor system logs for kernel panics correlated with NVMe/TCP connection attempts, which may indicate exploitation attempts.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS
Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used
The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa
The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16130
GHSA-wr95-7j53-j5c2