nvmet: pre-auth arbitrary kernel-memory read in Discovery Get-Log-Page (buffer + offset, unchecked attacker u64 lpo)
Keith Busch
kbusch at kernel.org
Tue Jun 2 01:34:58 PDT 2026
On Mon, Jun 01, 2026 at 08:24:19PM -0700, Jeremy Erazo wrote:
> I'm reporting a pre-authentication arbitrary kernel-memory read in
> `nvmet_execute_disc_get_log_page` (`drivers/nvme/target/discovery.c`).
> A single network packet to a Discovery subsystem - which by design
> accepts any hostnqn - lets a remote, unauthenticated attacker copy up
> to `data_len` bytes from ANY kernel virtual address back to themselves
> over NVMe-TCP or NVMe-RDMA.
Duplicate report:
https://lore.kernel.org/linux-nvme/39YwPS5jntghiVQLt9ikZnmMc7O2g1AY3OVDcxdZjaK53FZHyzQNmyaS5eYBTS93g0Wc-S-UDC0auDRcGgC4iMR5RgXLEBPvqHfFZfbaeoU=@proton.me/
More information about the Linux-nvme
mailing list