Linux kernel, Resource Leak, CVE-2026-23261 (Medium)

Listen to this Post

How CVE-2026-23261 Works

The vulnerability resides in the Linux kernel’s NVMe over Fibre Channel (nvme-fc) driver. When creating a new NVMe/FC controller via nvmf_dev_write() -> nvmf_create_ctrl() -> nvme_fc_create_ctrl() -> nvme_fc_init_ctrl(), the function allocates admin block-multiqueue (blk-mq) resources immediately after a successful `nvme_add_ctrl()` call. These resources include an admin tagset and associated queues. If any subsequent step fails—such as changing the controller state or scheduling the connect work—the code jumps to the `fail_ctrl` error path. This path tears down controller references but does not free the previously allocated admin queue or tagset. As a result, the blk-mq allocations remain referenced, causing a kernel memory leak. Over time, repeated controller initialization failures exhaust kernel memory, leading to system instability or denial of service. The leak was identified via kmemleak reports during blktests nvme/fc. The fix adds a check for `ctrl->ctrl.admin_tagset` in the `fail_ctrl` path and calls `nvme_remove_admin_tag_set()` to reclaim all admin queue allocations whenever controller setup aborts.

dailycve form:

Platform: Linux kernel
Version: Unpatched kernels
Vulnerability: Admin tagset leak
Severity: Medium
date: 03/18/2026

Prediction: Patch date 05/22/2026

What Undercode Say:

Check if nvme-fc module is loaded
lsmod | grep nvme_fc
Monitor kernel memory leaks (requires kmemleak enabled)
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak
Simulate controller init failure (requires FC setup)
echo "0,0" > /sys/class/nvme-subsystem/nvme-subsys0/delete_controller
modprobe -r nvme_fc && modprobe nvme_fc
Relevant code diff (simplified)
Original faulty path:
nvme_fc_init_ctrl() -> nvme_add_ctrl() -> allocate tagset -> error -> goto fail_ctrl;
fail_ctrl: nvme_put_ctrl(ctrl); // missing nvme_remove_admin_tag_set()
Fixed:
fail_ctrl: if (ctrl->ctrl.admin_tagset) nvme_remove_admin_tag_set(&ctrl->ctrl);

Exploit:

Local unprivileged user can repeatedly trigger NVMe/FC controller creation with malformed parameters or cause state-change failures, forcing the init routine to abort. Each abort leaks approximately 100–500 KB of non-paged kernel memory. After several thousand attempts, kernel memory exhaustion leads to system freeze or OOM killer invocation. No remote exploitation possible without FC access.

Protection from this CVE:

  • Apply kernel patch commit that adds `nvme_remove_admin_tag_set()` in the `fail_ctrl` path.
  • If unable to patch, disable the `nvme_fc` module (blacklist nvme_fc in modprobe.d) when FC storage not required.
  • Monitor kernel memory with `kmemleak` to detect unexpected leaks.
  • Upgrade to Linux kernel version 6.14 or later (where the fix is integrated).

Impact:

Memory leak degrades system performance over time. Prolonged exploitation causes kernel panic or denial of service, forcing a reboot. No data corruption or privilege escalation, but availability of the host is compromised, especially in containerized or virtualization environments where many FC controllers are dynamically created and destroyed.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

Linux Kernel, Memory Leak in io_uring/zcrx, CVE-2026-23263 (High)

Scroll to Top