CVE-2026-22998 Linux CVE debrief

Who should care

System administrators and security teams responsible for Linux kernel-based systems, especially those using nvme-tcp, should be aware of this vulnerability. They should assess their systems for exposure and apply patches or mitigations as necessary.

Technical summary

CVE-2026-22998 is a high-severity vulnerability in the Linux kernel's nvme-tcp implementation. The vulnerability arises from the nvmet_tcp_build_pdu_iovec function not properly checking if the command's data structures (cmd->req.sg and cmd->iov) are initialized before being dereferenced. This can be exploited by sending H2C_DATA PDUs in specific sequences, such as before a CONNECT command or with uninitialized command slots, leading to NULL pointer dereferences. The vulnerability has a CVSS score of 7.5 and is classified under CWE-476.

Defensive priority

High

Recommended defensive actions

• Apply patches or updates to affected kernel versions.
• Restrict access to nvme-tcp services to trusted sources.
• Monitor system logs for suspicious nvme-tcp activity.
• Implement additional validation for H2C_DATA PDUs.
• Consider using alternative storage protocols if possible.
• Regularly review and update system configurations.

Evidence notes

The CVE-2026-22998 vulnerability was identified and patched by the Linux kernel community. Multiple patches were applied to various kernel branches to address this issue. The vulnerability details and patches are publicly available on kernel.org and other Linux resources.

Official resources