In the Linux kernel, the following vulnerability has been resolved:
nvme-pci: Fix slab-out-of-bounds in nvmedbbufset
dev->onlinequeues is a count incremented in nvmeinitqueue. Thus, valid indices are 0 through dev->onlinequeues − 1.
This patch fixes the loop condition to ensure the index stays within the valid range. Index 0 is excluded because it is the admin queue.
KASAN splat:
================================================================== BUG: KASAN: slab-out-of-bounds in nvmedbbuffree drivers/nvme/host/pci.c:377 [inline] BUG: KASAN: slab-out-of-bounds in nvmedbbufset+0x39c/0x400 drivers/nvme/host/pci.c:404 Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74
CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: nvme-reset-wq nvmeresetwork Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dump_stacklvl+0xea/0x150 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xce/0x5d0 mm/kasan/report.c:482 kasanreport+0xdc/0x110 mm/kasan/report.c:595 _asanreportload2noabort+0x18/0x20 mm/kasan/reportgeneric.c:379 nvmedbbuffree drivers/nvme/host/pci.c:377 [inline] nvmedbbufset+0x39c/0x400 drivers/nvme/host/pci.c:404 nvmeresetwork+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 processonework+0x956/0x1aa0 kernel/workqueue.c:3257 processscheduledworks kernel/workqueue.c:3340 [inline] workerthread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 retfromfork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:246 </TASK>
Allocated by task 34 on cpu 1 at 4.241550s: kasansavestack+0x2c/0x60 mm/kasan/common.c:57 kasansavetrack+0x1c/0x70 mm/kasan/common.c:78 kasansaveallocinfo+0x3c/0x50 mm/kasan/generic.c:570 poisonkmalloc_redzone mm/kasan/common.c:398 [inline] __kasankmalloc+0xb5/0xc0 mm/kasan/common.c:415 kasankmalloc include/linux/kasan.h:263 [inline] __dokmallocnode mm/slub.c:5657 [inline] __kmallocnodenoprof+0x2bf/0x8d0 mm/slub.c:5663 kmallocarraynodenoprof include/linux/slab.h:1075 [inline] nvmepciallocdev drivers/nvme/host/pci.c:3479 [inline] nvmeprobe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 localpciprobe+0xef/0x1c0 drivers/pci/pci-driver.c:324 pcicall_probe drivers/pci/pci-driver.c:392 [inline] __pcideviceprobe drivers/pci/pci-driver.c:417 [inline] pcideviceprobe+0x743/0x920 drivers/pci/pci-driver.c:451 calldriverprobe drivers/base/dd.c:583 [inline] really_probe+0x29b/0xb70 drivers/base/dd.c:661 __driverprobedevice+0x3b0/0x4a0 drivers/base/dd.c:803 driverprobedevice+0x56/0x1f0 drivers/base/dd.c:833 _driverattachasynchelper+0x155/0x340 drivers/base/dd.c:1159 asyncrunentryfn+0xa6/0x4b0 kernel/async.c:129 processonework+0x956/0x1aa0 kernel/workqueue.c:3257 processscheduledworks kernel/workqueue.c:3340 [inline] workerthread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 retfromfork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:246
The buggy address belongs to the object at ffff88800592a000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 244 bytes to the right of allocated 1152-byte region [ffff88800592a000, ffff88800592a480)
The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928 head: order:3 mapcount:0 entiremapcount:0 nrpagesmapped:0 pincount:0 anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff) pagetype: f5(slab) raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 head: 000fffffc0000040 ffff888001042000 00000 ---truncated---
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43449.json"
}