CVE-2026-23174

Vulnerability

Description

In the Linux kernel's NVMe PCIe driver (nvme-pci), a NULL pointer dereference vulnerability exists when the device's DMA map requirements change during data iterator mapping. The driver initially assumes that the dma_needs_unmap flag is constant, but certain configurations, such as enabling the swiotlb, can cause this flag to change from false to true mid-operation. When the flag transitions, the driver attempts to access dma_vecs—a dynamically allocated array for storing DMA mapping vectors—which may not have been allocated if the initial state was false.

Exploitation

Scenario

An attacker with local access or ability to influence DMA configuration (e.g., via device hotplug or kernel parameters that trigger swiotlb) could trigger this condition. The vulnerability does not require prior authentication beyond standard user access to trigger kernel operations. The race condition between the initial check of dma_needs_unmap and the actual mapping operation leads to an uninitialized pointer dereference.

Impact

Successful exploitation results in a NULL pointer dereference, causing a kernel panic (denial of service). In some environments, this could be leveraged for privilege escalation if the panic can be controlled or if memory corruption occurs. The impact is primarily system availability, with potential for information disclosure or escalation under specific kernel configurations.

Mitigation

The fix, introduced in a stable kernel commit [1], modifies the driver to allocate dma_vecs dynamically during iteration rather than assuming pre-allocation. This ensures that if the DMA unmapping requirement changes, memory is allocated on-demand. Users should apply the latest stable kernel updates that include commit 071be3b0b6575d45be9df9c5b612f5882bfc5e88.