PatchSiren cyber security CVE debrief

CVE-2026-23244 Linux CVE debrief

CVE-2026-23244 is a Linux kernel issue in nvme_pr_read_keys() where a user-controlled num_keys value is used to size an allocation via struct_size(). With the existing PR_KEYS_MAX upper bound, a large input can still drive an allocation attempt of up to about 4 MB, which in turn can trigger allocator warnings when the requested order exceeds MAX_PAGE_ORDER. The kernel fix switches the allocation to kvzalloc().

Vendor: Linux
Product: Unknown
CVSS: HIGH 7.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-03-18
Original CVE updated: 2026-05-21
Advisory published: 2026-03-18
Advisory updated: 2026-05-21

Who should care

Linux kernel and distro maintainers, operators of systems that expose NVMe block-device persistent reservation ioctls, and administrators who allow untrusted local users to interact with affected kernel builds.

Technical summary

The vulnerable path is in drivers/nvme/host/pr.c: nvme_pr_read_keys() receives num_keys from userspace and uses it to compute an allocation size. The source record states that the upper limit is PR_KEYS_MAX (64K), but a malicious or buggy caller can still cause an oversized allocation attempt that may exceed the page allocator’s preferred order. The fix is to replace kzalloc() with kvzalloc(), which is better suited for larger allocations. NVD maps the issue to affected Linux kernel branches and rates it CVSS 3.1 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

Defensive priority

High. Apply the kernel fix promptly on affected Linux kernel branches, especially on hosts where local users can reach NVMe persistent reservation ioctls or where kernel stability is a priority.

Recommended defensive actions

Upgrade to a Linux kernel release that includes the fix or the relevant stable backport.
Review affected kernel branches listed by NVD and ensure each deployed branch is patched.
If immediate upgrading is not possible, reduce exposure to NVMe persistent reservation ioctls for untrusted local users where operationally feasible.
Monitor for allocator warnings or unusual NVMe persistent reservation ioctl activity on affected systems.
Track vendor stable backports referenced in the official kernel patch links and confirm they are present in your build lineage.

Evidence notes

Source description: nvme_pr_read_keys() consumes userspace-controlled num_keys, computes allocation size with struct_size(), and can attempt up to a 4 MB allocation under the PR_KEYS_MAX (64K) cap. The stated fix is to use kvzalloc() instead of kzalloc(). The supplied kernel warning shows the path through nvme_pr_read_keys() and kzalloc_noprof() into the page allocator. NVD marks the issue analyzed, lists Linux kernel CPE ranges across multiple branches, and assigns CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. The supplied corpus does not indicate KEV inclusion.

Official resources

CVE-2026-23244 CVE record
CVE.org
CVE-2026-23244 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch

CVE published on 2026-03-18T11:16:16.270Z and last modified on 2026-05-21T15:55:29.250Z. The supplied source record and NVD metadata use those dates as the disclosure/timeline anchors.