CVE-2026-52989

In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: propagate nvmet tcp build pdu iovec() errors to its callers

Currently, when nvmet tcp build pdu iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet tcp fatal error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv msg.msg iter was left uninitialized.

Callers such as nvmet tcp handle h2c data pdu() proceed to blindly overwrite the queue state with queue->rcv state = NVMET TCP RECV DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator.

Fix this by shifting the error handling responsibility to the callers.