CVE-2026-46135

EUVD-2026-32762
In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: fix race between ICReq handling and queue teardown

nvmet_tcp_handle_icreq() updates queue->state after sending an
Initialization Connection Response (ICResp), but it does so without
serializing against target-side queue teardown.

If an NVMe/TCP host sends an Initialization Connection Request
(ICReq) and immediately closes the connection, target-side teardown
may start in softirq context before io_work drains the already
buffered ICReq. In that case, nvmet_tcp_schedule_release_queue()
sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue
reference under state_lock.

If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can
still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the
DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and
allows a later socket state change to re-enter teardown and issue a
second kref_put() on an already released queue.

The ICResp send failure path has the same problem. If teardown has
already moved the queue to DISCONNECTING, a send error can still
overwrite the state with NVMET_TCP_Q_FAILED, again reopening the
window for a second teardown path to drop the queue reference.

Fix this by serializing both post-send state transitions with
state_lock and bailing out if teardown has already started.

Use -ESHUTDOWN as an internal sentinel for that bail-out path rather
than propagating it as a transport error like -ECONNRESET. Keep
nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before
honoring that sentinel so receive-side parsing stays quiesced until the
existing release path completes.
Race Condition
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
5.0 ≤
𝑥
< 6.12.88
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.30
linuxlinux_kernel
6.19 ≤
𝑥
< 7.0.7
linuxlinux_kernel
7.1:rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
7.1.3-1
fixed
sid
7.1.3-1
fixed
trixie
6.12.94-1
fixed
trixie (security)
6.12.95-1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
bpftool
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
kernel
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-debug
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-debug-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-debug-devel
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-debug-devel-matched
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-debug-modules
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-debug-modules-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-debug-modules-extra
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-devel
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-devel-matched
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-modules
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-modules-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-64k-modules-extra
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-abi-stablelists
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-core
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-debug
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-debug-core
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-debug-devel
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-debug-devel-matched
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-debug-modules
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-debug-modules-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-debug-modules-extra
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-debug-uki-virt
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-devel
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-devel-matched
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-doc
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-modules
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-modules-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-modules-extra
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt
RHEL 8
0:4.18.0-553.136.1.rt7.477.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-64k
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-64k-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-64k-debug
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-64k-debug-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-64k-debug-devel
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-64k-debug-modules
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-64k-debug-modules-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-64k-debug-modules-extra
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-64k-devel
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-64k-modules
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-64k-modules-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-64k-modules-extra
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-core
RHEL 8
0:4.18.0-553.136.1.rt7.477.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-debug
RHEL 8
0:4.18.0-553.136.1.rt7.477.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-debug-core
RHEL 8
0:4.18.0-553.136.1.rt7.477.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-debug-devel
RHEL 8
0:4.18.0-553.136.1.rt7.477.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-debug-kvm
RHEL 8
0:4.18.0-553.136.1.rt7.477.el8_10
fixed
kernel-rt-debug-modules
RHEL 8
0:4.18.0-553.136.1.rt7.477.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-debug-modules-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-debug-modules-extra
RHEL 8
0:4.18.0-553.136.1.rt7.477.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-devel
RHEL 8
0:4.18.0-553.136.1.rt7.477.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-kvm
RHEL 8
0:4.18.0-553.136.1.rt7.477.el8_10
fixed
kernel-rt-modules
RHEL 8
0:4.18.0-553.136.1.rt7.477.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-modules-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-rt-modules-extra
RHEL 8
0:4.18.0-553.136.1.rt7.477.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-tools
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-tools-libs
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-tools-libs-devel
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-uki-virt
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-uki-virt-addons
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-zfcpdump
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-zfcpdump-core
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-zfcpdump-devel
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-zfcpdump-devel-matched
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-zfcpdump-modules
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-zfcpdump-modules-core
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
kernel-zfcpdump-modules-extra
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
libperf
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
perf
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
python3-perf
RHEL 8
0:4.18.0-553.136.1.el8_10
fixed
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
rtla
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed
rv
RHEL 9
0:5.14.0-687.17.1.el9_8
fixed