CVE-2026-46135

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists in the nvmet-tcp module between the handling of Initialization Connection Requests (ICReq) and queue teardown. The function nvmet tcp handle icreq() updates the queue->state after sending an Initialization Connection Response (ICResp) without proper serialization against target-side queue teardown. If a host sends an ICReq and immediately closes the connection, the teardown process may set queue->state to NVMET TCP Q DISCONNECTING. Subsequently, if the buffered ICReq is processed, nvmet tcp handle icreq() may overwrite the state back to NVMET TCP Q LIVE. This bypasses the state guard in nvmet tcp schedule release queue(), potentially allowing a second teardown process to issue a second kref put() on a queue that has already been released. A similar issue occurs in the ICResp send failure path, where the state could be overwritten with NVMET TCP Q FAILED.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.