CVE-2026-23261: Linux Kernel Privilege Escalation Bug

CVE-2026-23261 Overview

CVE-2026-23261 is a memory leak vulnerability in the Linux kernel's NVMe over Fibre Channel (nvme-fc) transport driver. The flaw resides in the nvme_fc_init_ctrl() function, which allocates admin block multi-queue (blk-mq) resources after nvme_add_ctrl() succeeds. When subsequent initialization steps fail, the controller setup jumps to the fail_ctrl path. That path tears down controller references but never frees the admin queue and tag set. The leak was identified via kmemleak reports during blktests nvme/fc runs.

Critical Impact

Repeated failed NVMe/FC controller initialization attempts progressively exhaust kernel memory, leading to resource depletion on systems using Fibre Channel-attached NVMe storage.

Affected Products

• Linux kernel — NVMe over Fibre Channel (nvme-fc) transport driver
• Systems using nvme_fabrics with Fibre Channel transport
• Stable kernel branches prior to the commits referenced in the kernel.org advisory

Discovery Timeline

• 2026-03-18 - CVE-2026-23261 published to NVD
• 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-23261

Vulnerability Analysis

The Linux NVMe fabrics subsystem creates NVMe/FC controllers via the call chain nvmf_dev_write() → nvmf_create_ctrl() → nvme_fc_create_ctrl() → nvme_fc_init_ctrl(). Inside nvme_fc_init_ctrl(), the kernel allocates admin blk-mq resources immediately after nvme_add_ctrl() returns successfully. The function then proceeds to perform additional setup, including changing the controller state and scheduling connect work.

If any post-allocation step fails, control flow transfers to the fail_ctrl cleanup label. This label releases controller references but does not invoke nvme_remove_admin_tag_set(). As a result, the admin queue and tag set allocations remain orphaned in kernel memory. The behavior was confirmed by kmemleak instrumentation during blktests nvme/fc regression runs.

Root Cause

The root cause is incomplete error-path cleanup in nvme_fc_init_ctrl(). The function allocates the admin tag set but the corresponding teardown is missing from the fail_ctrl path. This is a classic resource-leak pattern where allocation and release paths are not symmetric across all exit conditions.

Attack Vector

The vulnerability is triggered by local kernel activity rather than a remote network exploit. Triggering the leak requires repeated controller-creation failures via the NVMe fabrics interface. Each failed initialization leaks the admin tag set, gradually consuming kernel slab memory. The fix checks ctrl->ctrl.admin_tagset in the fail_ctrl path and calls nvme_remove_admin_tag_set() when it is set, ensuring all admin queue allocations are reclaimed when controller setup aborts.

Detection Methods for CVE-2026-23261

Indicators of Compromise

• kmemleak reports referencing blk-mq tag set allocations originating from nvme_fc_init_ctrl()
• Growing kernel slab usage in blk_mq and nvme related caches without corresponding NVMe/FC controller instances
• Recurring NVMe/FC controller creation failures logged in dmesg or journalctl

Detection Strategies

• Enable CONFIG_DEBUG_KMEMLEAK on test systems and inspect /sys/kernel/debug/kmemleak for leaked allocations attributed to nvme_fc_init_ctrl()
• Monitor /proc/slabinfo for unbounded growth in blk_mq and kmalloc slab caches on hosts running NVMe/FC workloads
• Correlate kernel logs showing failed nvmf_create_ctrl() invocations with memory-pressure metrics

Monitoring Recommendations

• Track kernel memory consumption trends on NVMe/FC initiators using node-level telemetry
• Alert on repeated nvme nvme0: NVME-FC{...}: create association failed messages, which indicate the failure path is being exercised
• Audit kernel package versions across the fleet to identify hosts running pre-patch builds

How to Mitigate CVE-2026-23261

Immediate Actions Required

• Apply the upstream kernel patches referenced by the kernel.org commit identifiers 7c54d3f5ebbc, d1877cc72703, e810b290922c, and fa301aef50e3
• Rebase to a stable kernel release that incorporates the nvme-fc: release admin tagset if init fails fix
• Restart affected hosts after upgrade to reclaim any previously leaked admin tag set memory

Patch Information

The fix modifies the fail_ctrl cleanup path in nvme_fc_init_ctrl() to check ctrl->ctrl.admin_tagset and invoke nvme_remove_admin_tag_set() when the allocation is present. Patches are available across multiple stable branches via the Linux Kernel Git repository. Distribution vendors will incorporate the fix into their respective kernel updates.

Workarounds

• Avoid scripted or automated retry loops that repeatedly attempt to create NVMe/FC controllers when initialization is failing
• Investigate and resolve underlying Fibre Channel fabric or target-side issues that cause controller setup to abort
• Reboot hosts that exhibit growing blk-mq slab usage to reclaim leaked memory until a patched kernel is deployed

# Verify the running kernel and check for kmemleak reports
uname -r
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak | grep -A 5 nvme_fc_init_ctrl