CVE-2026-23376
In the Linux kernel, the following vulnerability has been resolved: nvmet-fcloop: Check remoteport port_state before calling done callback In nvme_fc_handle_ls_rqst_work, the lsrsp->done callback is only set when remoteport->port_state is FC_OBJSTATE_ONLINE. Otherwise, the nvme_fc_xmt_ls_rsp's LLDD call to lport->ops->xmt_ls_rsp is expected to fail and the nvme-fc transport layer itself will directly call nvme_fc_xmt_ls_rsp_free instead of relying on LLDD's done callback to free the lsrsp resources. Update the fcloop_t2h_xmt_ls_rsp routine to check remoteport->port_state. If online, then lsrsp->done callback will free the lsrsp. Else, return -ENODEV to signal the nvme-fc transport to handle freeing lsrsp.
EPSS 0.02% · 4.6th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| linux | linux_kernel | 6.18, 6.18, 6.18 |
| Linux | Linux | 10c165af35d225eb033f4edc7fcc699a8d2d533d, 10c165af35d225eb033f4edc7fcc699a8d2d533d, 6.18 |
Exploit Intelligence
- https://git.kernel.org/stable/c/f30b95159a53e72529a9ca1667f11cd1970240a7 (circl)
- https://git.kernel.org/stable/c/31d3817bcd9e192b30abe3cf4b68f69d48864dd2 (circl)
- https://git.kernel.org/stable/c/dd677d0598387ea623820ab2bd0e029c377445a3 (circl)
- glcve_test.go (github-poc)
- glcve_test.go (github-poc)
- glcve_test.go (github-poc)
- glcve_test.go (github-poc)
- test_suggest_impact.py (github-poc)
- test_suggest_impact.py (github-poc)
- test_suggest_impact.py (github-poc)
…and 1 more exploits
Timeline
- Mar 25, 2026 EPSS Score
- Mar 25, 2026 Coalition ESS Score
- Mar 25, 2026 CVE Published
- Mar 29, 2026 Security Advisory
- Apr 24, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score