Primary

Context

Storage Performance Development Kit Buffer Overflow Vulnerability in NVMe-oF Target Component

Vulnerability

Patched

A buffer overflow vulnerability has been identified in the Storage Performance Development Kit (SPDK) version 25.05, specifically within the NVMe-over-Fabrics (NVMe-oF) target component. The issue arises in the 'lib/nvmf' library, where an array-out-of-bounds access can occur during the update of registrants for a namespace with the 'Persist through power loss' (PTPL) feature enabled. This vulnerability allows memory beyond the array's boundary to be overwritten with data from the Reservation Register command, potentially leading to arbitrary code execution. The vulnerability affects NVMe-oF transports over TCP and RDMA.

Impact

Exploitation of this vulnerability could lead to a buffer overflow, allowing for memory corruption and potentially arbitrary code execution.

Remediation

Users can upgrade to SPDK versions 25.09 or 25.05.1 to address this vulnerability.

Added: Oct 1, 2025, 3:21 PM

Updated: Oct 1, 2025, 3:21 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

5.1

remediation

7.7

relevance

0.6

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

5.1

remediation

7.7

relevance

0.6

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Storage Performance Development Kit Buffer Overflow Vulnerability in NVMe-oF Target Component

Vulnerability

Impact

Remediation

Affected Products

Storage Performance Development Kit

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating