CVE-2026-23148

HIGHNVD 7.55.5▼

7.5

In the Linux kernel, the following vulnerability has been resolved:

nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference

There is a race condition in nvmet_bio_done() that can cause a NULL pointer dereference in blk_cgroup_bio_start():

nvmet_bio_done() is called when a bio completes
nvmet_req_complete() is called, which invokes req->ops->queue_response(req)
The queue_response callback can re-queue and re-submit the same request
The re-submission reuses the same inline_bio from nvmet_req
Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)

invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL

The re-submitted bio enters submit_bio_noacct_nocheck()
blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash:

BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode RIP: 0010:blk_cgroup_bio_start+0x10/0xd0 Call Trace: submit_bio_noacct_nocheck+0x44/0x250 nvmet_bdev_execute_rw+0x254/0x370 [nvmet] process_one_work+0x193/0x3c0 worker_thread+0x281/0x3a0

Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put() BEFORE nvmet_req_complete(). This ensures the bio is cleaned up before the request can be re-submitted, preventing the race condition.

CVSS v3: 7.5
EG Score: 5.5(medium)
EPSS: 13.0%
KEV: Not listed

Published

February 14, 2026

Last Modified

April 3, 2026

References (3)

416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/68207ceefd71cc74ce4e983fa9bd10c3122e349b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ee10b06980acca1d46e0fa36d6fb4a9578eab6e4

Patch Availability(1)

Vendor / Ecosystem	Fixed in / Patch	Released	Source
ubuntu	linux-virtual-6.8 (6.8.0-117.117) @ noble	2026-05-20	ubuntu

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

CWE-476NULL Pointer Dereference

All Vendor Advisories

(1)

Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.

UbuntuUSN-8278-1MEDIUM
Linux kernel vulnerabilities

Data Freshness Timeline

(refreshed 18× in last 7d / 20× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-31 22:30 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-29 13:44 UTCepss_batch
2026-05-29 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-26 13:44 UTCepss_batch
2026-05-26 13:44 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-22 21:16 UTCepss_batch
2026-05-21 22:43 UTCepss_batch

Frequently asked(5)

What is CVE-2026-23148?

CVE-2026-23148 is a high vulnerability published on February 14, 2026. In the Linux kernel, the following vulnerability has been resolved: nvmet: fix race in nvmetbiodone() leading to NULL pointer dereference There is a race condition in nvmetbiodone() that can cause a NULL pointer dereference in blkcgroupbio_start(): 1. nvmetbiodone() is called when a bio completes…

When was CVE-2026-23148 disclosed?

CVE-2026-23148 was first published in the National Vulnerability Database on February 14, 2026, with the most recent update on April 3, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2026-23148 actively exploited?

CVE-2026-23148 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 13.0% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2026-23148?

CVE-2026-23148 has a CVSS v3 base score of 7.5 (NVD). EchelonGraph synthesises NVD + CISA KEV + FIRST EPSS + GHSA into a combined EG score of 5.5.

How do I remediate CVE-2026-23148?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-23148, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-23148

Explore →

Is Your Infrastructure Affected by CVE-2026-23148?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2026-23148

Published

Last Modified

References (3)

Patch Availability(1)

Weakness Classification(1)

All Vendor Advisories

Data Freshness Timeline

Frequently asked(5)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2026-23148?

Same vendor

Same CWE

CVE-2026-23148

📅 Published

🔄 Last Modified

🔗 References (3)

Patch Availability(1)

Weakness Classification(1)

All Vendor Advisories

Data Freshness Timeline

❓ Frequently asked(5)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2026-23148?

🔗 Related CVEs(same vendor + same CWE)

Same vendor

Same CWE

Published

Last Modified

References (3)

Frequently asked(5)

Related CVEs(same vendor + same CWE)