Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reaching the H2C handler needs an established association on a deliberately enabled NVMe-oF TCP target (PR:L) and a specifically malformed PDU (AC:H); realistic impact is mainly DoS (A:H) with uncertain memory disclosure/corruption (C:L/I:L).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized.
Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator.
Fix this by shifting the error handling responsibility to the callers.
AnalysisAI
Memory-safety flaw in the Linux kernel's NVMe-over-TCP target driver (nvmet-tcp) lets a connected initiator drive the kernel into reading received network data through an uninitialized iov_iter. Because nvmet_tcp_build_pdu_iovec() reported out-of-bounds PDU length/offset only via a fatal-error side effect while returning void, callers such as nvmet_tcp_handle_h2c_data_pdu() continued and advanced the receive state machine over an uninitialized cmd->recv_msg.msg_iter, leading to memory corruption or denial of service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target host to be running as an NVMe-over-Fabrics TCP target - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and should be reconciled before prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an NVMe-over-TCP target port (or a compromised/malicious initiator already permitted to connect) establishes a controller association and sends a crafted H2C data PDU carrying an out-of-bounds length or offset. The target detects the bad PDU but proceeds anyway, reading subsequent network bytes into an uninitialized iterator, corrupting kernel memory and likely crashing the target (DoS) or potentially escalating to memory corruption. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (and the 6.19 mainline), per the EUVD patch list; apply your distribution's backported kernel update once it ships, referencing the upstream commits at git.kernel.org/stable/c/3df42a854686fa06484e37ac1a3931c8e3e3453c and git.kernel.org/stable/c/d7c8f95f599b3b38a717d2e771c3f8c174f657c3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all systems deploying NVMe-over-TCP target driver (document kernel versions and network accessibility). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38857
GHSA-m4w6-2g7f-9j5p