Security Vulnerability Report
中文
CVE-2026-23376 CVSS 5.5 MEDIUM

CVE-2026-23376

Published: 2026-03-25 11:16:37
Last Modified: 2026-04-24 16:21:53
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: nvmet-fcloop: Check remoteport port_state before calling done callback In nvme_fc_handle_ls_rqst_work, the lsrsp->done callback is only set when remoteport->port_state is FC_OBJSTATE_ONLINE. Otherwise, the nvme_fc_xmt_ls_rsp's LLDD call to lport->ops->xmt_ls_rsp is expected to fail and the nvme-fc transport layer itself will directly call nvme_fc_xmt_ls_rsp_free instead of relying on LLDD's done callback to free the lsrsp resources. Update the fcloop_t2h_xmt_ls_rsp routine to check remoteport->port_state. If online, then lsrsp->done callback will free the lsrsp. Else, return -ENODEV to signal the nvme-fc transport to handle freeing lsrsp.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 6.x (Specific versions depend on commit backports)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * Conceptual PoC for CVE-2026-23376 * This requires a system with the nvmet-fcloop module loaded. * The PoC simulates the condition where a Link Service request * is processed while the remote port is not in the ONLINE state. */ #include <linux/module.h> #include <linux/init.h> // Mocking the structure to demonstrate the logic flaw struct fcloop_lsrsp { void (*done)(struct fcloop_lsrsp *lsrsp); }; struct fcloop_remoteport { int port_state; }; #define FC_OBJSTATE_ONLINE 1 void vulnerable_function(struct fcloop_remoteport *remoteport, struct fcloop_lsrsp *lsrsp) { // Vulnerability: Missing check for remoteport->port_state before calling lsrsp->done // In the exploit scenario, port_state is not ONLINE, so lsrsp->done might be NULL/invalid. if (lsrsp->done) { printk(KERN_INFO "Calling done callback\n"); lsrsp->done(lsrsp); // This triggers the crash if state was wrong } else { printk(KERN_INFO "Done callback is NULL\n"); } } static int __init poc_init(void) { struct fcloop_remoteport rp; struct fcloop_lsrsp ls; // Setup scenario where port is NOT online rp.port_state = 0; // Not FC_OBJSTATE_ONLINE ls.done = NULL; // Callback not set by transport layer printk(KERN_INFO "CVE-2026-23376 PoC loaded\n"); // Trigger the vulnerable path vulnerable_function(&rp, &ls); return 0; } static void __exit poc_exit(void) { printk(KERN_INFO "CVE-2026-23376 PoC unloaded\n"); } module_init(poc_init); module_exit(poc_exit); MODULE_LICENSE("GPL");

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23376", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:37.383", "lastModified": "2026-04-24T16:21:52.913", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fcloop: Check remoteport port_state before calling done callback\n\nIn nvme_fc_handle_ls_rqst_work, the lsrsp->done callback is only set when\nremoteport->port_state is FC_OBJSTATE_ONLINE. Otherwise, the\nnvme_fc_xmt_ls_rsp's LLDD call to lport->ops->xmt_ls_rsp is expected to\nfail and the nvme-fc transport layer itself will directly call\nnvme_fc_xmt_ls_rsp_free instead of relying on LLDD's done callback to free\nthe lsrsp resources.\n\nUpdate the fcloop_t2h_xmt_ls_rsp routine to check remoteport->port_state.\nIf online, then lsrsp->done callback will free the lsrsp. Else, return\n-ENODEV to signal the nvme-fc transport to handle freeing lsrsp."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnvmet-fcloop: Verificar el estado del puerto de remoteport antes de llamar a la función de devolución de llamada 'done'\n\nEn nvme_fc_handle_ls_rqst_work, la función de devolución de llamada lsrsp-&gt;done solo se establece cuando el estado del puerto de remoteport es FC_OBJSTATE_ONLINE. De lo contrario, se espera que la llamada LLDD de nvme_fc_xmt_ls_rsp a lport-&gt;ops-&gt;xmt_ls_rsp falle y la propia capa de transporte nvme-fc llamará directamente a nvme_fc_xmt_ls_rsp_free en lugar de depender de la función de devolución de llamada 'done' de LLDD para liberar los recursos de lsrsp.\n\nActualizar la rutina fcloop_t2h_xmt_ls_rsp para verificar el estado del puerto de remoteport. Si está en línea, entonces la función de devolución de llamada lsrsp-&gt;done liberará el lsrsp. De lo contrario, devolver -ENODEV para indicar al transporte nvme-fc que se encargue de liberar lsrsp."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.3", "versionEndExcluding": "6.18", "matchCriteriaId": "01823571-21C8-47A7-A81B-D79D8F3C5262"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.1", "versionEndExcluding": "6.18.17", "matchCriteriaId": "07E9D8CD-82F0-4CC6-8038-BF71758D583C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*", "matchCriteriaId": "DCE57113-2223-4308-A0F2-5E6ECFBB3C23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/31d3817bcd9e192b30abe3cf4b68f69d48864dd2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/dd677d0598387ea623820ab2bd0e029c377445a3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f30b95159a53e72529a9ca1667f11cd1970240a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.