CVE-2026-23148
In the Linux kernel, the following vulnerability has been resolved: nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference There is a race condition in nvmet_bio_done() that can cause a NULL pointer dereference in blk_cgroup_bio_start(): 1. nvmet_bio_done() is called when a bio completes 2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req) 3. The queue_response callback can re-queue and re-submit the same request 4. The re-submission reuses the same inline_bio from nvmet_req 5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete) invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL 6. The re-submitted bio enters submit_bio_noacct_nocheck() 7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash: BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode RIP: 0010:blk_cgroup_bio_start+0x10/0xd0 Call Trace: submit_bio_noacct_nocheck+0x44/0x250 nvmet_bdev_execute_rw+0x254/0x370 [nvmet] process_one_work+0x193/0x3c0 worker_thread+0x281/0x3a0 Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put() BEFORE nvmet_req_complete(). This ensures the bio is cleaned up before the request can be re-submitted, preventing the race condition.
EPSS 0.04% · 13.0th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| linux | linux_kernel | 6.12.37, 6.16, 6.15.6 |
| Linux | Linux | 431e58d56fcb5ff1f9eb630724a922e0d2a941df, 190f4c2c863af7cc5bb354b70e0805f06419c038, 190f4c2c863af7cc5bb354b70e0805f06419c038 |
Exploit Intelligence
Timeline
- Feb 14, 2026 CVE Published
- Feb 15, 2026 EPSS Score
- Feb 17, 2026 EPSS Score
- Feb 19, 2026 EPSS Score
- Feb 21, 2026 EPSS Score
- Feb 22, 2026 EPSS Score
- Feb 22, 2026 Security Advisory
- Feb 24, 2026 EPSS Score
- Feb 26, 2026 EPSS Score
- Feb 28, 2026 EPSS Score
- Mar 2, 2026 EPSS Score
- Mar 4, 2026 EPSS Score
References
- https://git.kernel.org/stable/c/ee10b06980acca1d46e0fa36d6fb4a9578eab6e4 url
- https://git.kernel.org/stable/c/68207ceefd71cc74ce4e983fa9bd10c3122e349b url
- https://git.kernel.org/stable/c/0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e url
- https://nvd.nist.gov/vuln/detail/CVE-2026-23148 advisory
- https://ubuntu.com/security/notices/USN-8273-1 advisory
- https://ubuntu.com/security/notices/USN-8289-1 advisory
- https://ubuntu.com/security/notices/USN-8278-1 advisory
- https://ubuntu.com/security/notices/USN-8275-1 advisory
- https://ubuntu.com/security/notices/USN-8280-1 advisory
- https://ubuntu.com/security/notices/USN-8279-1 advisory
- https://ubuntu.com/security/notices/USN-8254-3 advisory
- https://ubuntu.com/security/notices/USN-8291-1 advisory
- https://ubuntu.com/security/notices/USN-8277-1 advisory
- https://ubuntu.com/security/notices/USN-8255-3 advisory
- https://ubuntu.com/security/notices/USN-8274-1 advisory
- https://ubuntu.com/security/notices/USN-8281-1 advisory
- https://ubuntu.com/security/notices/USN-8291-2 advisory
- https://ubuntu.com/security/notices/USN-8278-2 advisory
- https://ubuntu.com/security/notices/USN-8297-1 advisory
- https://ubuntu.com/security/notices/USN-8296-2 advisory
…and 12 more