CVE-2026-22998
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's NVMe over TCP implementation allows attackers to cause kernel panics and system crashes by sending malformed H2C_DATA PDUs before proper command initialization. This affects systems using NVMe over TCP storage protocols. The vulnerability can be triggered remotely by sending specially crafted network packets.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Complete system crash/kernel panic leading to denial of service, potential data corruption, and system instability requiring physical intervention.
Likely Case
System crash or kernel panic causing temporary denial of service until system reboot, potentially disrupting storage operations.
If Mitigated
No impact if proper network segmentation and access controls prevent unauthorized access to NVMe over TCP ports.
🎯 Exploit Status
Exploitation requires sending malformed H2C_DATA PDUs to NVMe over TCP port. No authentication needed if network access is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 32b63acd78f5, 374b095e265f, 3def52431507, 76abc83a9d25, 7d7557000292
Vendor Advisory: https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check distribution security advisories for backported patches. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to NVMe over TCP port (typically 4420) using firewall rules
iptables -A INPUT -p tcp --dport 4420 -j DROP
firewall-cmd --permanent --remove-port=4420/tcp
firewall-cmd --reload
Disable NVMe over TCP
linuxDisable NVMe over TCP functionality if not required
modprobe -r nvmet-tcp
echo 'blacklist nvmet-tcp' >> /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Implement strict network segmentation to isolate NVMe over TCP traffic to trusted networks only
- Use host-based firewalls to restrict access to port 4420 to only authorized storage clients
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if NVMe over TCP module is loaded: lsmod | grep nvmet_tcp && uname -rCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or check if distribution has backported patches via security advisories📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- System crash/reboot logs
- NVMe error messages in dmesg or system logs
Network Indicators:
- Unexpected H2C_DATA PDUs sent before CONNECT commands
- Traffic to port 4420 from unauthorized sources
SIEM Query:
source="kernel" AND ("panic" OR "Oops" OR "NULL pointer dereference") AND "nvmet"🔗 References
- https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba
- https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913
- https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d
- https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686
- https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7
- https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe
- https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4
