NULL Pointer Dereference Vulnerability in Linux Kernel's NVMe TCP Component
CVE-2026-22998

Currently unrated

Key Information:

Vendor

Linux
Status
Linux
Vendor
CVE Published:
25 January 2026

What is CVE-2026-22998?

A vulnerability exists in the NVMe TCP implementation of the Linux kernel that could lead to NULL pointer dereferences when processing Host-to-Controller (H2C) Data Protocol Data Units (PDUs). The issue arises because the required command data structures, specifically cmd->req.sg and cmd->iov, are not adequately validated prior to their use. This flaw can be exploited by an attacker sending H2C_DATA PDUs immediately after the Initial Command Request (ICREQ) or Initial Command Response (ICRESP) handshake, potentially resulting in a kernel panic. Corrective measures have been implemented to ensure that these pointers are validated before dereferencing, thereby preventing unintended system behavior.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Linux efa56305908ba20de2104f1b8508c6a7401833be < 3def5243150716be86599c2a1767c29c68838b6d

Linux efa56305908ba20de2104f1b8508c6a7401833be < 374b095e265fa27465f34780e0eb162ff1bef913

Linux efa56305908ba20de2104f1b8508c6a7401833be < 32b63acd78f577b332d976aa06b56e70d054cbba

References

https://git.kernel.org/stable/c/3def5243150716be86599c2a1...
https://git.kernel.org/stable/c/374b095e265fa27465f34780e...
https://git.kernel.org/stable/c/32b63acd78f577b332d976aa0...

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.