Volerion logoVolerion
Volerion logoVolerion

Linux Kernel NVMe-TCP Socket Error Recovery NULL Pointer Dereference Vulnerability

Vulnerability

A vulnerability in the Linux kernel's NVMe over TCP implementation can lead to a NULL pointer dereference. This issue occurs during error recovery when the NVMe TCP socket is released and a new one is created. The vulnerability is triggered by the 'nvme list' command, which accesses the released socket without proper checks, causing a kernel crash.

Impact

Exploitation of this vulnerability leads to a kernel NULL pointer dereference, causing a system crash.

Reproduction

To reproduce this vulnerability, initiate a process that triggers error recovery in the NVMe over TCP stack, causing the socket to be released. While the recovery process is ongoing and reconnect attempts are failing, run the 'nvme list' command. This will access the released socket, leading to a NULL pointer dereference and a kernel crash.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.

Added: Oct 7, 2025, 5:35 PM
Updated: Oct 7, 2025, 5:35 PM

Vulnerability Rating

Custom Algorithm
spread
9.0
impact
2.5
exploitability
4.3
remediation
7.7
relevance
0.7
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.