Описание
In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a loop in request list processing.
Отчет
The vulnerability lies in the lack of validation for list membership in nvme_tcp_handle_r2t(), potentially allowing malicious R2T PDUs to introduce list corruption or loops. This could lead to denial of service or memory corruption. The Privileges for the CVSS is Low as the attacker only needs access to an NVMe TCP queue, which may be exposed via user-level networking or containerized environments. This bug can be triggered remotely if a Linux system connects to a malicious or compromised NVMe-over-TCP target. The attacker, by crafting a malformed R2T PDU, could cause list corruption in the initiator’s kernel, potentially leading to memory corruption or denial of service. The issue is not locally triggerable by userspace but can be remotely exploited by an attacker controlling the target. The config option CONFIG_NVME_COMMON disabled in all versions of Red Hat Enterprise Linux, so as result all versions are not affected.
Меры по смягчению последствий
Check if Kernel config option CONFIG_NVME_COMMON disabled or could be disabled. If disabled, then not vulnerable.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2025:12662 | 04.08.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.1 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a loop in request list processing.
In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a loop in request list processing.
In the Linux kernel, the following vulnerability has been resolved: n ...
In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a loop in request list processing.
EPSS
7.1 High
CVSS3