CVE-2023-6535: Linux Kernel NVMe Driver DoS Vulnerability

CVE-2023-6535 Overview

CVE-2023-6535 is a NULL pointer dereference [CWE-476] in the Linux kernel's NVMe over TCP (NVMe/TCP) driver. An unauthenticated remote attacker can send a sequence of crafted TCP packets to an NVMe/TCP endpoint and trigger a NULL pointer dereference inside the kernel. The result is a kernel panic, producing a denial of service on the affected host. The flaw is network-reachable, requires no privileges, and impacts availability only.

The vulnerability affects upstream Linux kernel builds and multiple Red Hat Enterprise Linux variants that ship the nvme-tcp module. NetApp, Debian, and Fedora distributions also published fixes downstream.

Critical Impact

Remote, unauthenticated attackers can crash any Linux host exposing an NVMe-over-TCP target, taking storage fabric nodes offline without authentication or user interaction.

Affected Products

• Linux kernel (upstream) with the nvme-tcp driver enabled
• Red Hat Enterprise Linux 8.x and 9.x (including EUS, AUS, TUS, and Real Time variants)
• Red Hat Virtualization Host 4.0 and Red Hat CodeReady Linux Builder (multi-architecture)

Discovery Timeline

• 2024-02-07 - CVE-2023-6535 published to the National Vulnerability Database
• 2024-02-08 - Red Hat publishes initial advisories RHSA-2024:0723, RHSA-2024:0724, and RHSA-2024:0725
• 2024-04-15 - NetApp releases advisory NTAP-20240415-0003
• 2024-06 - Debian LTS ships kernel fixes
• 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2023-6535

Vulnerability Analysis

The flaw resides in the kernel's NVMe over TCP transport, which exposes block storage targets via the NVMe protocol on top of TCP. When the driver receives a sequence of malformed protocol data units (PDUs), an internal code path dereferences a pointer that has not been initialized or has already been released. Because the dereference occurs in kernel context, the access to an invalid address triggers an oops and a kernel panic, halting the entire system.

The vulnerability is reachable across the network because NVMe/TCP listens for connections on a TCP port and parses incoming PDUs before any authentication of the host is fully established. An attacker who can reach the target port can therefore terminate the kernel without credentials or user interaction. The impact is limited to availability — there is no memory disclosure or code execution path described in the advisory.

Root Cause

The root cause is a missing NULL check in the nvme-tcp PDU handling logic. Under specific packet sequences, a structure pointer used during PDU dispatch is consulted before validation, satisfying the conditions for a classic NULL pointer dereference as catalogued under [CWE-476].

Attack Vector

The attack vector is purely network-based. An adversary with TCP reachability to an exposed NVMe/TCP target port (typically 4420) crafts a malformed PDU sequence and transmits it to the listener. The kernel parses the PDUs, hits the invalid pointer, and panics. No authentication, prior session, or local foothold is required. Hosts that confine NVMe/TCP to isolated storage VLANs are significantly less exposed than those that allow general network reach to the target.

Detection Methods for CVE-2023-6535

Indicators of Compromise

• Unscheduled kernel panics on hosts running nvme-tcp with stack traces referencing the NVMe TCP receive or PDU handling functions
• BUG: kernel NULL pointer dereference entries in dmesg or /var/log/messages correlating with inbound traffic on TCP port 4420
• Repeated TCP connections from untrusted sources to NVMe/TCP listener ports immediately preceding host crashes

Detection Strategies

• Monitor kernel ring buffer output and journalctl -k for NULL pointer dereference oops messages referencing nvme_tcp_* symbols
• Correlate host unavailability events with network flow logs targeting NVMe/TCP ports to identify abuse patterns
• Inventory hosts loading the nvme_tcp kernel module using lsmod | grep nvme_tcp to scope exposure

Monitoring Recommendations

• Forward kernel logs to a centralized logging or SIEM platform and alert on nvme_tcp oops signatures
• Track TCP connections to port 4420 from outside the storage network segment and alert on anomalies
• Baseline the uptime and crash frequency of NVMe/TCP target hosts to detect repeated denial-of-service attempts

How to Mitigate CVE-2023-6535

Immediate Actions Required

• Apply the kernel updates referenced in Red Hat advisories RHSA-2024:0723, RHSA-2024:0724, RHSA-2024:0725, RHSA-2024:0881, RHSA-2024:0897, RHSA-2024:1248, RHSA-2024:2094, and RHSA-2024:3810 on affected systems
• Restrict access to NVMe/TCP target ports using network ACLs and host firewalls so that only authorized initiators can connect
• Reboot patched hosts to load the updated kernel and confirm with uname -r that the fixed version is active

Patch Information

Vendor fixes are tracked in the Red Hat CVE Analysis CVE-2023-6535 and Red Hat Bugzilla Report #2254053. Distribution-specific updates are available via the Debian LTS Announcement June 2024, the Fedora Package Announcement, and the NetApp Security Advisory NTAP-20240415-0003.

Workarounds

• Unload the nvme_tcp kernel module on systems that do not require NVMe over TCP using modprobe -r nvme_tcp and blacklist the module to prevent reload
• Confine NVMe/TCP traffic to a dedicated, isolated storage VLAN that is unreachable from untrusted client and management networks
• Place NVMe/TCP targets behind stateful firewalls that permit connections only from known initiator IP addresses

# Blacklist the nvme_tcp module on hosts that do not need NVMe over TCP
echo "blacklist nvme_tcp" | sudo tee /etc/modprobe.d/blacklist-nvme-tcp.conf
sudo modprobe -r nvme_tcp

# Restrict inbound NVMe/TCP traffic (port 4420) to a trusted storage subnet
sudo iptables -A INPUT -p tcp --dport 4420 -s 10.10.20.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 4420 -j DROP