CVE-2026-46135
Description
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: fix race between ICReq handling and queue teardown
nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.
If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.
If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.
The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.
Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.
Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.
Affected products
79- osv-coords78 versionspkg:linux/kernelpkg:rpm/almalinux/bpftoolpkg:rpm/almalinux/kernelpkg:rpm/almalinux/kernel-64kpkg:rpm/almalinux/kernel-64k-corepkg:rpm/almalinux/kernel-64k-debugpkg:rpm/almalinux/kernel-64k-debug-corepkg:rpm/almalinux/kernel-64k-debug-develpkg:rpm/almalinux/kernel-64k-debug-devel-matchedpkg:rpm/almalinux/kernel-64k-debug-modulespkg:rpm/almalinux/kernel-64k-debug-modules-corepkg:rpm/almalinux/kernel-64k-debug-modules-extrapkg:rpm/almalinux/kernel-64k-develpkg:rpm/almalinux/kernel-64k-devel-matchedpkg:rpm/almalinux/kernel-64k-modulespkg:rpm/almalinux/kernel-64k-modules-corepkg:rpm/almalinux/kernel-64k-modules-extrapkg:rpm/almalinux/kernel-abi-stablelistspkg:rpm/almalinux/kernel-corepkg:rpm/almalinux/kernel-cross-headerspkg:rpm/almalinux/kernel-debugpkg:rpm/almalinux/kernel-debug-corepkg:rpm/almalinux/kernel-debug-develpkg:rpm/almalinux/kernel-debug-devel-matchedpkg:rpm/almalinux/kernel-debug-modulespkg:rpm/almalinux/kernel-debug-modules-corepkg:rpm/almalinux/kernel-debug-modules-extrapkg:rpm/almalinux/kernel-debug-uki-virtpkg:rpm/almalinux/kernel-develpkg:rpm/almalinux/kernel-devel-matchedpkg:rpm/almalinux/kernel-docpkg:rpm/almalinux/kernel-headerspkg:rpm/almalinux/kernel-modulespkg:rpm/almalinux/kernel-modules-corepkg:rpm/almalinux/kernel-modules-extrapkg:rpm/almalinux/kernel-modules-extra-matchedpkg:rpm/almalinux/kernel-rtpkg:rpm/almalinux/kernel-rt-64kpkg:rpm/almalinux/kernel-rt-64k-corepkg:rpm/almalinux/kernel-rt-64k-debugpkg:rpm/almalinux/kernel-rt-64k-debug-corepkg:rpm/almalinux/kernel-rt-64k-debug-develpkg:rpm/almalinux/kernel-rt-64k-debug-modulespkg:rpm/almalinux/kernel-rt-64k-debug-modules-corepkg:rpm/almalinux/kernel-rt-64k-debug-modules-extrapkg:rpm/almalinux/kernel-rt-64k-develpkg:rpm/almalinux/kernel-rt-64k-modulespkg:rpm/almalinux/kernel-rt-64k-modules-corepkg:rpm/almalinux/kernel-rt-64k-modules-extrapkg:rpm/almalinux/kernel-rt-corepkg:rpm/almalinux/kernel-rt-debugpkg:rpm/almalinux/kernel-rt-debug-corepkg:rpm/almalinux/kernel-rt-debug-develpkg:rpm/almalinux/kernel-rt-debug-modulespkg:rpm/almalinux/kernel-rt-debug-modules-corepkg:rpm/almalinux/kernel-rt-debug-modules-extrapkg:rpm/almalinux/kernel-rt-develpkg:rpm/almalinux/kernel-rt-modulespkg:rpm/almalinux/kernel-rt-modules-corepkg:rpm/almalinux/kernel-rt-modules-extrapkg:rpm/almalinux/kernel-toolspkg:rpm/almalinux/kernel-tools-libspkg:rpm/almalinux/kernel-tools-libs-develpkg:rpm/almalinux/kernel-uki-virtpkg:rpm/almalinux/kernel-uki-virt-addonspkg:rpm/almalinux/kernel-zfcpdumppkg:rpm/almalinux/kernel-zfcpdump-corepkg:rpm/almalinux/kernel-zfcpdump-develpkg:rpm/almalinux/kernel-zfcpdump-devel-matchedpkg:rpm/almalinux/kernel-zfcpdump-modulespkg:rpm/almalinux/kernel-zfcpdump-modules-corepkg:rpm/almalinux/kernel-zfcpdump-modules-extrapkg:rpm/almalinux/libperfpkg:rpm/almalinux/perfpkg:rpm/almalinux/python3-perfpkg:rpm/almalinux/rtlapkg:rpm/almalinux/rvpkg:rpm/opensuse/kernel-source&distro=openSUSE%20Tumbleweed
>= 5.0.0, < 6.6.144+ 77 more
- (no CPE)range: >= 5.0.0, < 6.6.144
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 5.14.0-687.17.1.el9_8
- (no CPE)range: < 7.0.11-1.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.