Sagi Grimberg

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a possible use-after-free condition in the Linux kernel's NVMe driver. This condition may occur when the driver executes its reset ctrl work and the ctrl sends an AEN, which is received by the host and schedules AEN handling. The race condition may happen in a specific scenario where the driver attempts to send a command after the ctrl state has been changed to RESETTING. To fix this, a ctrl state check has been added to validate that the ctrl is actually able to accept the AER submission. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the `nvme rdma error recovery work()` function. This vulnerability can be exploited due to a race condition, potentially affecting the confidentiality, integrity, and availability of protected information. The vulnerability occurs when `nvme rdma submit async event work` checks the controller and queue state before preparing the AER command and scheduling `io work`. To prevent this race, the error recovery work must flush `async event work` before destroying the admin queue after setting the controller state to RESETTING. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.