NULL Pointer Dereference Vulnerability in Linux Kernel's NVMe TCP Component
CVE-2026-22998

Currently unrated

Key Information:

Vendor

Linux
Status
Linux
Vendor
CVE Published:
25 January 2026

What is CVE-2026-22998?

A vulnerability exists in the NVMe TCP implementation of the Linux kernel that could lead to NULL pointer dereferences when processing Host-to-Controller (H2C) Data Protocol Data Units (PDUs). The issue arises because the required command data structures, specifically cmd->req.sg and cmd->iov, are not adequately validated prior to their use. This flaw can be exploited by an attacker sending H2C_DATA PDUs immediately after the Initial Command Request (ICREQ) or Initial Command Response (ICRESP) handshake, potentially resulting in a kernel panic. Corrective measures have been implemented to ensure that these pointers are validated before dereferencing, thereby preventing unintended system behavior.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Linux f775f2621c2ac5cc3a0b3a64665dad4fb146e510

Linux 4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d < 76abc83a9d25593c2b7613c549413079c14a4686

Linux 2871aa407007f6f531fae181ad252486e022df42 < 7d75570002929d20e40110d6b03e46202c9d1bc7

References

https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff...
https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c54...
https://git.kernel.org/stable/c/7d75570002929d20e40110d6b...

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.