CVE-2026-46135 Linux CVE debrief

Who should care

Linux kernel administrators running NVMe/TCP target configurations; storage infrastructure teams; cloud providers offering NVMe-oF services; security teams monitoring kernel-level storage driver vulnerabilities

Technical summary

The nvmet-tcp driver in the Linux kernel contains a race condition between ICReq (Initialization Connection Request) handling and queue teardown. The nvmet_tcp_handle_icreq() function updates queue->state after sending ICResp without holding state_lock, allowing concurrent teardown to set NVMET_TCP_Q_DISCONNECTING and drop the queue reference. Subsequent ICReq processing can overwrite state back to NVMET_TCP_Q_LIVE, causing a second teardown path to issue kref_put() on freed memory. The ICResp send failure path similarly allows NVMET_TCP_Q_FAILED to overwrite DISCONNECTING state. The fix adds state_lock serialization around post-send state transitions and introduces -ESHUTDOWN as a bail-out sentinel when teardown is in progress.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable tree commits once available for your distribution
• Monitor Linux distribution security advisories for backported fixes
• Restrict NVMe/TCP target exposure to trusted networks until patched
• Enable connection rate limiting on NVMe/TCP targets where possible
• Review kernel logs for unexpected NVMe/TCP queue state transitions as potential indicators

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-28. Four kernel.org stable tree commits are referenced as source material. The issue affects the NVMe/TCP target subsystem in the Linux kernel. No CVSS score or severity has been assigned by NVD (status: Awaiting Analysis).

Official resources