CVE-2026-23148 Overview
A race condition vulnerability has been identified in the Linux kernel's NVMe Target (nvmet) subsystem, specifically within the nvmet_bio_done() function. This vulnerability can cause a NULL pointer dereference in blk_cgroup_bio_start(), resulting in a kernel crash and potential denial of service conditions on systems utilizing NVMe over Fabrics target functionality.
Critical Impact
This race condition can cause kernel crashes on systems running NVMe Target services, leading to denial of service and potential system instability in storage infrastructure environments.
Affected Products
- Linux Kernel (nvmet module)
- Systems utilizing NVMe over Fabrics target functionality
- Block storage subsystems with cgroup integration
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23148 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23148
Vulnerability Analysis
This vulnerability is a classic Time-of-Check Time-of-Use (TOCTOU) race condition occurring in the NVMe Target subsystem's bio completion handling. The issue arises from improper ordering of operations in nvmet_bio_done(), where the request completion callback can trigger a re-submission of the same request before the bio has been properly cleaned up.
The race manifests in the following sequence: when a bio completes, nvmet_bio_done() calls nvmet_req_complete(), which invokes the queue_response callback. This callback can re-queue and re-submit the same request, reusing the same inline_bio from nvmet_req. Concurrently, nvmet_req_bio_put() (called after nvmet_req_complete()) invokes bio_uninit() for the inline_bio, which sets bio->bi_blkg to NULL. When the re-submitted bio enters submit_bio_noacct_nocheck(), the subsequent call to blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a NULL pointer dereference and kernel panic.
Root Cause
The root cause is the incorrect ordering of function calls in nvmet_bio_done(). The function calls nvmet_req_complete() before nvmet_req_bio_put(), creating a window where the request can be re-submitted while the bio structure is still considered valid, but then immediately invalidated by the bio cleanup routine. The bi_blkg field is set to NULL by bio_uninit(), but the re-submitted bio expects this field to contain a valid pointer to the block cgroup structure.
Attack Vector
The attack vector for this vulnerability is local and requires the ability to generate NVMe Target I/O operations that trigger rapid bio completion and re-submission cycles. The vulnerability is triggered through a race condition that depends on specific timing conditions during concurrent bio processing.
The kernel crash manifests with the following call trace pattern:
BUG: kernel NULL pointer dereference, address: 0000000000000028
#PF: supervisor read access in kernel mode
RIP: 0010:blk_cgroup_bio_start+0x10/0xd0
Call Trace:
submit_bio_noacct_nocheck+0x44/0x250
nvmet_bdev_execute_rw+0x254/0x370 [nvmet]
process_one_work+0x193/0x3c0
worker_thread+0x281/0x3a0
The fix reorders the operations in nvmet_bio_done() to call nvmet_req_bio_put() BEFORE nvmet_req_complete(), ensuring the bio is properly cleaned up before any potential re-submission can occur.
Detection Methods for CVE-2026-23148
Indicators of Compromise
- Kernel panic messages containing BUG: kernel NULL pointer dereference with RIP pointing to blk_cgroup_bio_start
- Call traces showing nvmet_bdev_execute_rw in the backtrace
- System crashes or unexpected reboots on NVMe Target servers under high I/O load
- Kernel oops messages referencing the nvmet module
Detection Strategies
- Monitor kernel logs for NULL pointer dereference errors associated with the nvmet module
- Implement kernel panic detection and alerting mechanisms
- Review dmesg output for blk_cgroup_bio_start crash signatures
- Enable kernel crash dump collection (kdump) for post-mortem analysis
Monitoring Recommendations
- Configure syslog monitoring for kernel panic events on systems running nvmet services
- Set up automated alerts for unexpected system reboots on NVMe Target infrastructure
- Monitor system stability metrics for NVMe over Fabrics deployments
- Enable kernel tracing on nvmet functions during high-load scenarios for proactive detection
How to Mitigate CVE-2026-23148
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Review NVMe Target deployments for signs of instability or crashes
- Consider temporarily reducing I/O load on affected systems until patches are applied
- Implement monitoring for kernel panic events related to nvmet
Patch Information
The vulnerability has been addressed through kernel patches that reorder the function calls in nvmet_bio_done(). The fix ensures that nvmet_req_bio_put() is called BEFORE nvmet_req_complete(), eliminating the race condition window.
The patches are available through the stable kernel branches:
Workarounds
- If immediate patching is not possible, consider disabling the nvmet module on non-critical systems
- Reduce concurrent I/O operations on NVMe Target systems to minimize the likelihood of triggering the race condition
- Implement redundant NVMe Target infrastructure to maintain availability during potential crashes
- Monitor affected systems closely and schedule maintenance windows for kernel updates
# Check current kernel version and nvmet module status
uname -r
lsmod | grep nvmet
# Verify kernel patches are applied by checking commit history
# Update kernel to latest stable version with the fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
