{"id":"CVE-2026-23148","summary":"nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference\n\nThere is a race condition in nvmet_bio_done() that can cause a NULL\npointer dereference in blk_cgroup_bio_start():\n\n1. nvmet_bio_done() is called when a bio completes\n2. nvmet_req_complete() is called, which invokes req-\u003eops-\u003equeue_response(req)\n3. The queue_response callback can re-queue and re-submit the same request\n4. The re-submission reuses the same inline_bio from nvmet_req\n5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)\n   invokes bio_uninit() for inline_bio, which sets bio-\u003ebi_blkg to NULL\n6. The re-submitted bio enters submit_bio_noacct_nocheck()\n7. blk_cgroup_bio_start() dereferences bio-\u003ebi_blkg, causing a crash:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000028\n  #PF: supervisor read access in kernel mode\n  RIP: 0010:blk_cgroup_bio_start+0x10/0xd0\n  Call Trace:\n   submit_bio_noacct_nocheck+0x44/0x250\n   nvmet_bdev_execute_rw+0x254/0x370 [nvmet]\n   process_one_work+0x193/0x3c0\n   worker_thread+0x281/0x3a0\n\nFix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()\nBEFORE nvmet_req_complete(). This ensures the bio is cleaned up before\nthe request can be re-submitted, preventing the race condition.","modified":"2026-04-04T03:03:19.389390Z","published":"2026-02-14T16:01:17.575Z","related":["SUSE-SU-2026:20838-1","SUSE-SU-2026:20931-1","openSUSE-SU-2026:20416-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23148.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/68207ceefd71cc74ce4e983fa9bd10c3122e349b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ee10b06980acca1d46e0fa36d6fb4a9578eab6e4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23148.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23148"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"431e58d56fcb5ff1f9eb630724a922e0d2a941df"},{"fixed":"ee10b06980acca1d46e0fa36d6fb4a9578eab6e4"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"190f4c2c863af7cc5bb354b70e0805f06419c038"},{"fixed":"68207ceefd71cc74ce4e983fa9bd10c3122e349b"},{"fixed":"0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"2e2028fcf924d1c6df017033c8d6e28b735a0508"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23148.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}