CVE-2026-23179

Vulnerability

Overview

In the Linux kernel's NVMe-over-TCP target (nvmet-tcp), a deadlock can occur in the nvmet_tcp_listen_data_ready() function. The root cause is that when a socket is closed while in the TCP_LISTEN state, a callback is invoked to flush outstanding packets, which calls nvmet_tcp_listen_data_ready() with the sk_callback_lock already held. If the function then tries to acquire the same lock, a deadlock results.

Exploitation

The vulnerability is triggered during socket closure on a listening socket within the nvmet-tcp subsystem. An attacker with the ability to influence networking operations—such as sending a FIN or RST to a listening port—could induce the deadlock. No special privileges are required beyond network access to the target's listening port. The attack surface is limited to systems running the nvmet-tcp module, typically used in storage area networks.

Impact

Successful exploitation causes a kernel deadlock, rendering the system unresponsive. This constitutes a denial-of-service (DoS) condition. The hang prevents the system from processing further network or I/O operations until a reboot. There is no evidence of data corruption or privilege escalation.

Mitigation

The fix was introduced in Linux kernel stable commits [1][2] that add a check for the TCP_LISTEN state before attempting to acquire the lock. Users should apply the latest stable updates. No workaround exists other than disabling the nvmet-tcp module if not needed.