{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "1385be357e8acd09b36e026567f3a9d5c61139de"
            },
            {
              "fixed": "3df42a854686fa06484e37ac1a3931c8e3e3453c"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "dca1a6ba0da9f472ef040525fab10fd9956db59f"
            },
            {
              "fixed": "d7c8f95f599b3b38a717d2e771c3f8c174f657c3"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "19672ae68d52ff75347ebe2420dde1b07adca09f"
            },
            {
              "fixed": "f9204a2b78dd18374d3bcf9bf93d9021ce22de1b"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "ab200d71553bdcf4de554a5985b05b2dd606bc57"
            },
            {
              "fixed": "c2a11441538bdbbc5aa003f190995eba93a89b88"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "52a0a98549344ca20ad81a4176d68d28e3c05a5c"
            },
            {
              "fixed": "046fa5c72d15cd8e2d592e275697ea399d8f76b0"
            },
            {
              "fixed": "ea8e356acb165cb1fd75537a52e1f66e5e76c538"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "043b4307a99f902697349128fde93b2ddde4686c"
            },
            {
              "last_affected": "42afe8ed8ad2de9c19457156244ef3e1eca94b5d"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "6.1.163"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "6.6.124"
            },
            {
              "fixed": "6.6.141"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "6.12.70"
            },
            {
              "fixed": "6.12.91"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "6.18.10"
            },
            {
              "fixed": "6.18.33"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "5.10.250"
            },
            {
              "fixed": "5.11"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "5.15.200"
            },
            {
              "fixed": "5.16"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.141"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.91"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.33"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52989.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers\n\nCurrently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds\nPDU length or offset, it triggers nvmet_tcp_fatal_error(cmd-\u003equeue)\nand returns early. However, because the function returns void, the\ncallers are entirely unaware that a fatal error has occurred and\nthat the cmd-\u003erecv_msg.msg_iter was left uninitialized.\n\nCallers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly\noverwrite the queue state with queue-\u003ercv_state = NVMET_TCP_RECV_DATA\nConsequently, the socket receiving loop may attempt to read incoming\nnetwork data into the uninitialized iterator.\n\nFix this by shifting the error handling responsibility to the callers.",
  "id": "CVE-2026-52989",
  "modified": "2026-07-08T05:39:23.150452499Z",
  "published": "2026-06-24T16:29:03.398Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/046fa5c72d15cd8e2d592e275697ea399d8f76b0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3df42a854686fa06484e37ac1a3931c8e3e3453c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2a11441538bdbbc5aa003f190995eba93a89b88"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d7c8f95f599b3b38a717d2e771c3f8c174f657c3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea8e356acb165cb1fd75537a52e1f66e5e76c538"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f9204a2b78dd18374d3bcf9bf93d9021ce22de1b"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52989.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/security/cve/CVE-2026-52989"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52989.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52989"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492443"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers"
}