CVE-2026-23148

{"id": "CVE-2026-23148", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-02-14T16:15:54.913", "references": [{"url": "https://git.kernel.org/stable/c/0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/68207ceefd71cc74ce4e983fa9bd10c3122e349b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ee10b06980acca1d46e0fa36d6fb4a9578eab6e4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference\n\nThere is a race condition in nvmet_bio_done() that can cause a NULL\npointer dereference in blk_cgroup_bio_start():\n\n1. nvmet_bio_done() is called when a bio completes\n2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req)\n3. The queue_response callback can re-queue and re-submit the same request\n4. The re-submission reuses the same inline_bio from nvmet_req\n5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)\n invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL\n6. The re-submitted bio enters submit_bio_noacct_nocheck()\n7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n RIP: 0010:blk_cgroup_bio_start+0x10/0xd0\n Call Trace:\n submit_bio_noacct_nocheck+0x44/0x250\n nvmet_bdev_execute_rw+0x254/0x370 [nvmet]\n process_one_work+0x193/0x3c0\n worker_thread+0x281/0x3a0\n\nFix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()\nBEFORE nvmet_req_complete(). This ensures the bio is cleaned up before\nthe request can be re-submitted, preventing the race condition."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnvmet: corregir condici\u00f3n de carrera en nvmet_bio_done() que lleva a una desreferencia de puntero NULL\n\nExiste una condici\u00f3n de carrera en nvmet_bio_done() que puede causar una desreferencia de puntero NULL en blk_cgroup_bio_start():\n\n1. nvmet_bio_done() es llamada cuando un bio se completa\n2. nvmet_req_complete() es llamada, lo que invoca req->ops->queue_response(req)\n3. La devoluci\u00f3n de llamada queue_response puede volver a encolar y volver a enviar la misma solicitud\n4. El reenv\u00edo reutiliza el mismo inline_bio de nvmet_req\n5. Mientras tanto, nvmet_req_bio_put() (llamada despu\u00e9s de nvmet_req_complete) invoca bio_uninit() para inline_bio, lo que establece bio->bi_blkg en NULL\n6. El bio reenviado entra en submit_bio_noacct_nocheck()\n7. blk_cgroup_bio_start() desreferencia bio->bi_blkg, causando un fallo:\n\n ERROR: desreferencia de puntero NULL del kernel, direcci\u00f3n: 0000000000000028\n #PF: acceso de lectura de supervisor en modo kernel\n RIP: 0010:blk_cgroup_bio_start+0x10/0xd0\n Rastro de Llamada:\n submit_bio_noacct_nocheck+0x44/0x250\n nvmet_bdev_execute_rw+0x254/0x370 [nvmet]\n process_one_work+0x193/0x3c0\n worker_thread+0x281/0x3a0\n\nCorregir esto reordenando nvmet_bio_done() para llamar a nvmet_req_bio_put() ANTES de nvmet_req_complete(). Esto asegura que el bio se limpie antes de que la solicitud pueda ser reenviada, previniendo la condici\u00f3n de carrera."}], "lastModified": "2026-03-17T21:12:43.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FFABC310-8043-45B8-9F6C-094B74C9CA4C", "versionEndExcluding": "6.12.69", "versionStartIncluding": "6.12.37"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BEF58D78-987C-49EA-8F22-0EF0F89F0A2E", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A28A864A-0812-4D37-96BC-20142FCA21ED", "versionEndExcluding": "6.18.9", "versionStartIncluding": "6.16.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6238B17D-C12B-458F-A138-97039BFC4595"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "85421F4E-C863-4ABF-B4B4-E887CC2F7F92"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3827F0D4-5FEE-4181-B267-5A45E7CA11FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7A9C2DE5-43B8-4D73-BDB5-EA55C7671A52"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}