CVE-2026-23148

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists in the nvmet bio done() function that can lead to a NULL pointer dereference within blk cgroup bio start(). This occurs when a bio request completes, and the queue response callback re-queues the same request. The original bio’s memory is released via bio uninit(), setting bio->bi blkg to NULL. Subsequently, when the re-submitted bio enters submit bio noacct nocheck(), blk cgroup bio start() attempts to dereference the now-NULL bio->bi blkg, resulting in a kernel crash. The issue arises from the order of operations in nvmet bio done(), specifically calling nvmet req bio put() after nvmet req complete().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.