Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23261

CVE-2026-23261: Linux Kernel Privilege Escalation Bug

CVE-2026-23261 is a privilege escalation vulnerability in the Linux kernel's NVMe-FC driver that causes memory leaks when controller initialization fails. This article covers technical details, impact, and mitigation.

Updated:

CVE-2026-23261 Overview

CVE-2026-23261 is a memory leak vulnerability in the Linux kernel's NVMe over Fibre Channel (nvme-fc) transport driver. The flaw resides in the nvme_fc_init_ctrl() function, which allocates admin block multi-queue (blk-mq) resources after nvme_add_ctrl() succeeds. When subsequent initialization steps fail, the controller setup jumps to the fail_ctrl path. That path tears down controller references but never frees the admin queue and tag set. The leak was identified via kmemleak reports during blktests nvme/fc runs.

Critical Impact

Repeated failed NVMe/FC controller initialization attempts progressively exhaust kernel memory, leading to resource depletion on systems using Fibre Channel-attached NVMe storage.

Affected Products

  • Linux kernel — NVMe over Fibre Channel (nvme-fc) transport driver
  • Systems using nvme_fabrics with Fibre Channel transport
  • Stable kernel branches prior to the commits referenced in the kernel.org advisory

Discovery Timeline

  • 2026-03-18 - CVE-2026-23261 published to NVD
  • 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-23261

Vulnerability Analysis

The Linux NVMe fabrics subsystem creates NVMe/FC controllers via the call chain nvmf_dev_write()nvmf_create_ctrl()nvme_fc_create_ctrl()nvme_fc_init_ctrl(). Inside nvme_fc_init_ctrl(), the kernel allocates admin blk-mq resources immediately after nvme_add_ctrl() returns successfully. The function then proceeds to perform additional setup, including changing the controller state and scheduling connect work.

If any post-allocation step fails, control flow transfers to the fail_ctrl cleanup label. This label releases controller references but does not invoke nvme_remove_admin_tag_set(). As a result, the admin queue and tag set allocations remain orphaned in kernel memory. The behavior was confirmed by kmemleak instrumentation during blktests nvme/fc regression runs.

Root Cause

The root cause is incomplete error-path cleanup in nvme_fc_init_ctrl(). The function allocates the admin tag set but the corresponding teardown is missing from the fail_ctrl path. This is a classic resource-leak pattern where allocation and release paths are not symmetric across all exit conditions.

Attack Vector

The vulnerability is triggered by local kernel activity rather than a remote network exploit. Triggering the leak requires repeated controller-creation failures via the NVMe fabrics interface. Each failed initialization leaks the admin tag set, gradually consuming kernel slab memory. The fix checks ctrl->ctrl.admin_tagset in the fail_ctrl path and calls nvme_remove_admin_tag_set() when it is set, ensuring all admin queue allocations are reclaimed when controller setup aborts.

Detection Methods for CVE-2026-23261

Indicators of Compromise

  • kmemleak reports referencing blk-mq tag set allocations originating from nvme_fc_init_ctrl()
  • Growing kernel slab usage in blk_mq and nvme related caches without corresponding NVMe/FC controller instances
  • Recurring NVMe/FC controller creation failures logged in dmesg or journalctl

Detection Strategies

  • Enable CONFIG_DEBUG_KMEMLEAK on test systems and inspect /sys/kernel/debug/kmemleak for leaked allocations attributed to nvme_fc_init_ctrl()
  • Monitor /proc/slabinfo for unbounded growth in blk_mq and kmalloc slab caches on hosts running NVMe/FC workloads
  • Correlate kernel logs showing failed nvmf_create_ctrl() invocations with memory-pressure metrics

Monitoring Recommendations

  • Track kernel memory consumption trends on NVMe/FC initiators using node-level telemetry
  • Alert on repeated nvme nvme0: NVME-FC{...}: create association failed messages, which indicate the failure path is being exercised
  • Audit kernel package versions across the fleet to identify hosts running pre-patch builds

How to Mitigate CVE-2026-23261

Immediate Actions Required

  • Apply the upstream kernel patches referenced by the kernel.org commit identifiers 7c54d3f5ebbc, d1877cc72703, e810b290922c, and fa301aef50e3
  • Rebase to a stable kernel release that incorporates the nvme-fc: release admin tagset if init fails fix
  • Restart affected hosts after upgrade to reclaim any previously leaked admin tag set memory

Patch Information

The fix modifies the fail_ctrl cleanup path in nvme_fc_init_ctrl() to check ctrl->ctrl.admin_tagset and invoke nvme_remove_admin_tag_set() when the allocation is present. Patches are available across multiple stable branches via the Linux Kernel Git repository. Distribution vendors will incorporate the fix into their respective kernel updates.

Workarounds

  • Avoid scripted or automated retry loops that repeatedly attempt to create NVMe/FC controllers when initialization is failing
  • Investigate and resolve underlying Fibre Channel fabric or target-side issues that cause controller setup to abort
  • Reboot hosts that exhibit growing blk-mq slab usage to reclaim leaked memory until a patched kernel is deployed
bash
# Verify the running kernel and check for kmemleak reports
uname -r
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak | grep -A 5 nvme_fc_init_ctrl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne