In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: propagate nvmettcpbuildpduiovec() errors to its callers
Currently, when nvmettcpbuildpduiovec() detects an out-of-bounds PDU length or offset, it triggers nvmettcpfatalerror(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recvmsg.msg_iter was left uninitialized.
Callers such as nvmettcphandleh2cdatapdu() proceed to blindly overwrite the queue state with queue->rcvstate = NVMETTCPRECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator.
Fix this by shifting the error handling responsibility to the callers.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52989.json",
"cna_assigner": "Linux"
}