CVE-2026-52989 - Vulnerability Details

- nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers

Description

In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers

Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds
PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue)
and returns early. However, because the function returns void, the
callers are entirely unaware that a fatal error has occurred and
that the cmd->recv_msg.msg_iter was left uninitialized.

Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly
overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA
Consequently, the socket receiving loop may attempt to read incoming
network data into the uninitialized iterator.

Fix this by shifting the error handling responsibility to the callers.

Published: 2026-06-24

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1385be357e8acd09b36e026567f3a9d5c61139de`	affected	< 3df42a854686fa06484e37ac1a3931c8e3e3453c
`dca1a6ba0da9f472ef040525fab10fd9956db59f`	affected	< d7c8f95f599b3b38a717d2e771c3f8c174f657c3
`19672ae68d52ff75347ebe2420dde1b07adca09f`	affected	< f9204a2b78dd18374d3bcf9bf93d9021ce22de1b
`ab200d71553bdcf4de554a5985b05b2dd606bc57`	affected	< c2a11441538bdbbc5aa003f190995eba93a89b88
`52a0a98549344ca20ad81a4176d68d28e3c05a5c`	affected	< 046fa5c72d15cd8e2d592e275697ea399d8f76b0
`52a0a98549344ca20ad81a4176d68d28e3c05a5c`	affected	< ea8e356acb165cb1fd75537a52e1f66e5e76c538
`043b4307a99f902697349128fde93b2ddde4686c`	affected	—
`42afe8ed8ad2de9c19457156244ef3e1eca94b5d`	affected	—
`6.1.163`	affected	< 6.1.175
`6.6.124`	affected	< 6.6.141
`6.12.70`	affected	< 6.12.91
`6.18.10`	affected	< 6.18.33
`5.10.250`	affected	< 5.11
`5.15.200`	affected	< 5.16

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1385be357e8acd09b36e026567f3a9d5c61139de,3df42a854686fa06484e37ac1a3931c8e3e3453c)`	affected	code_commit	—
`[dca1a6ba0da9f472ef040525fab10fd9956db59f,d7c8f95f599b3b38a717d2e771c3f8c174f657c3)`	affected	code_commit	—
`[19672ae68d52ff75347ebe2420dde1b07adca09f,f9204a2b78dd18374d3bcf9bf93d9021ce22de1b)`	affected	code_commit	—
`[ab200d71553bdcf4de554a5985b05b2dd606bc57,c2a11441538bdbbc5aa003f190995eba93a89b88)`	affected	code_commit	—
`[52a0a98549344ca20ad81a4176d68d28e3c05a5c,046fa5c72d15cd8e2d592e275697ea399d8f76b0)`	affected	code_commit	—
`[52a0a98549344ca20ad81a4176d68d28e3c05a5c,ea8e356acb165cb1fd75537a52e1f66e5e76c538)`	affected	code_commit	—
`043b4307a99f902697349128fde93b2ddde4686c`	affected	code_commit	—
`42afe8ed8ad2de9c19457156244ef3e1eca94b5d`	affected	code_commit	—
`[6.1.163,6.1.175)`	affected	semver	—
`[6.6.124,6.6.141)`	affected	semver	—
`[6.12.70,6.12.91)`	affected	semver	—
`[6.18.10,6.18.33)`	affected	semver	—
`[5.10.250,5.11)`	affected	semver	—
`[5.15.200,5.16)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.19`	affected	semver	—
`[0,6.19)`	unaffected	semver	—
`[6.1.175,7.0.0)`	unaffected	semver	—
`[6.6.141,7.0.0)`	unaffected	semver	—
`[6.12.91,7.0.0)`	unaffected	semver	—
`[6.18.33,7.0.0)`	unaffected	semver	—
`[7.0.10,8.0.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00497.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/046fa5c72d15cd8e2d592e275697ea399d8f76b0
https://git.kernel.org/stable/c/3df42a854686fa06484e37ac1a3931c8e3e3453c
https://git.kernel.org/stable/c/c2a11441538bdbbc5aa003f190995eba93a89b88
https://git.kernel.org/stable/c/d7c8f95f599b3b38a717d2e771c3f8c174f657c3
https://git.kernel.org/stable/c/ea8e356acb165cb1fd75537a52e1f66e5e76c538
https://git.kernel.org/stable/c/f9204a2b78dd18374d3bcf9bf93d9021ce22de1b
https://lore.kernel.org/linux-cve-announce/2026062444-CVE-2026-52989-beb8@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-52989
https://www.cve.org/CVERecord?id=CVE-2026-52989

History

Sun, 28 Jun 2026 11:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-665 CWE-682

Sun, 28 Jun 2026 08:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 26 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-390
References		https://lore.kernel.org/linux-cve-announce/2026062444-CVE-2026-52989-beb8@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-52989 https://www.cve.org/CVERecord?id=CVE-2026-52989
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Wed, 24 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-665 CWE-682

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized. Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator. Fix this by shifting the error handling responsibility to the callers.
Title		nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/046fa5c72d15cd8e2d592e275697ea399d8f76b0 https://git.kernel.org/stable/c/3df42a854686fa06484e37ac1a3931c8e3e3453c https://git.kernel.org/stable/c/c2a11441538bdbbc5aa003f190995eba93a89b88 https://git.kernel.org/stable/c/d7c8f95f599b3b38a717d2e771c3f8c174f657c3 https://git.kernel.org/stable/c/ea8e356acb165cb1fd75537a52e1f66e5e76c538 https://git.kernel.org/stable/c/f9204a2b78dd18374d3bcf9bf93d9021ce22de1b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:03.398Z

Updated: 2026-06-28T06:37:43.647Z

Reserved: 2026-06-09T07:44:35.376Z

Link: CVE-2026-52989

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52989 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-28T13:15:16Z

Weaknesses

CWE-390

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object