CVE-2026-22998

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec<br /> <br /> Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")<br /> added ttag bounds checking and data_offset<br /> validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate<br /> whether the command&amp;#39;s data structures (cmd-&gt;req.sg and cmd-&gt;iov) have<br /> been properly initialized before processing H2C_DATA PDUs.<br /> <br /> The nvmet_tcp_build_pdu_iovec() function dereferences these pointers<br /> without NULL checks. This can be triggered by sending H2C_DATA PDU<br /> immediately after the ICREQ/ICRESP handshake, before<br /> sending a CONNECT command or NVMe write command.<br /> <br /> Attack vectors that trigger NULL pointer dereferences:<br /> 1. H2C_DATA PDU sent before CONNECT → both pointers NULL<br /> 2. H2C_DATA PDU for READ command → cmd-&gt;req.sg allocated, cmd-&gt;iov NULL<br /> 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL<br /> <br /> The fix validates both cmd-&gt;req.sg and cmd-&gt;iov before calling<br /> nvmet_tcp_build_pdu_iovec(). Both checks are required because:<br /> - Uninitialized commands: both NULL<br /> - READ commands: cmd-&gt;req.sg allocated, cmd-&gt;iov NULL<br /> - WRITE commands: both allocated