CVE-2026-23376

Vulnerability

Analysis

A flaw has been found in the Linux kernel's nvmet-fcloop driver, which is used for testing the NVMe-over-Fabrics (NVMe-oF) transport loopback. The core issue is in the fcloop_t2h_xmt_ls_rsp routine, where it unconditionally calls the lsrsp->done callback to free the LS request response (lsrsp) resources. However, in the NVMe-fc transport layer (nvme_fc_handle_ls_rqst_work), the done callback is only set when the remote port is in the FC_OBJSTATE_ONLINE state. If the remote port is offline, the done callback is not set, and the transport layer expects the low-level driver (LLDD) to fail the xmt_ls_rsp call, so the transport itself calls nvme_fc_xmt_ls_rsp_free to free the lsrsp. This mismatch leads to a double-free situation in the fcloop driver [1].

Exploitation and

Impact

The vulnerability is exploitable when the remote port transitions to an offline state while an LS request is being handled. An attacker who can cause a link down or port state change on a system running the fcloop driver could trigger this double-free. No authentication is needed if the system is already using NVMe-oF loopback for testing. The impact of a double-free can range from memory corruption to a system crash (denial of service). The CVSS v3 score of 5.5 (Medium) reflects the potential for a local denial of service, as the attacker must have some ability to influence the remote port state [2].

Mitigation

The fix, included in the referenced commit, adds a check on remoteport->port_state before proceeding with the done callback. If the port state is not FC_OBJSTATE_ONLINE, the function returns -ENODEV, signaling to the NVMe-fc transport that it should handle the cleanup itself, thereby preventing the double-free. Linux kernel users should update to a kernel containing this commit (patched versions vary by distribution) [3].