Skip to main content

Linux Kernel EUVDEUVD-2026-38857

| CVE-2026-52989 CRITICAL
Detection of Error Condition Without Action (CWE-390)
2026-06-24 Linux GHSA-m4w6-2g7f-9j5p
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.4 MEDIUM

Reaching the H2C handler needs an established association on a deliberately enabled NVMe-oF TCP target (PR:L) and a specifically malformed PDU (AC:H); realistic impact is mainly DoS (A:H) with uncertain memory disclosure/corruption (C:L/I:L).

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:44 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
CRITICAL 9.8
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers

Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized.

Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator.

Fix this by shifting the error handling responsibility to the callers.

AnalysisAI

Memory-safety flaw in the Linux kernel's NVMe-over-TCP target driver (nvmet-tcp) lets a connected initiator drive the kernel into reading received network data through an uninitialized iov_iter. Because nvmet_tcp_build_pdu_iovec() reported out-of-bounds PDU length/offset only via a fatal-error side effect while returning void, callers such as nvmet_tcp_handle_h2c_data_pdu() continued and advanced the receive state machine over an uninitialized cmd->recv_msg.msg_iter, leading to memory corruption or denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach NVMe-oF TCP target port
Delivery
Establish controller association
Exploit
Send crafted H2C data PDU with OOB length
Execution
Build-iovec error silently swallowed
Persist
Kernel reads data into uninitialized iter
Impact
Memory corruption or target crash (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires the target host to be running as an NVMe-over-Fabrics TCP target - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and should be reconciled before prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an NVMe-over-TCP target port (or a compromised/malicious initiator already permitted to connect) establishes a controller association and sends a crafted H2C data PDU carrying an out-of-bounds length or offset. The target detects the bad PDU but proceeds anyway, reading subsequent network bytes into an uninitialized iterator, corrupting kernel memory and likely crashing the target (DoS) or potentially escalating to memory corruption. …
Remediation Vendor-released patch: update to a fixed stable kernel - 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (and the 6.19 mainline), per the EUVD patch list; apply your distribution's backported kernel update once it ships, referencing the upstream commits at git.kernel.org/stable/c/3df42a854686fa06484e37ac1a3931c8e3e3453c and git.kernel.org/stable/c/d7c8f95f599b3b38a717d2e771c3f8c174f657c3. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all systems deploying NVMe-over-TCP target driver (document kernel versions and network accessibility). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38857 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy