External risk intelligence

Linux Kernel nvmet-tcp Race Condition Allows Queue Re-release

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-46135

This vulnerability affects the Linux kernel NVMe over TCP (NVMe/TCP) implementation. While NVMe/TCP is used for data center storage networking and is typically found in private or internal backend fabrics rather than directly exposed to the public internet, it is a network-accessible protocol, making reachability possible in specific deployment scenarios.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Linux kernel's NVMe over TCP component could allow an attacker to disrupt operations by exploiting a race condition during connection handling and teardown. While this primarily impacts backend storage networks, its network-accessible nature warrants attention to confirm relevance and exposure.

  • Race condition in storage connection handling.
  • Potential for system disruption in backend networks.
  • Confirm relevance and exposure in your environment.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this race condition in the Linux kernel's NVMe over TCP implementation. By sending an initialization request and immediately closing the connection, an attacker could manipulate the state of network queues. This manipulation allows for a second teardown attempt, potentially leading to a crash or unauthorized access to data.

  • Network access required.
  • Triggered by rapid connection close.
  • Leads to data corruption or denial of service.

Live Threat

Current exploitation, exposure, and threat context

A race condition in the Linux kernel's NVMe/TCP implementation could allow an attacker to disrupt the queue teardown process, potentially leading to a denial of service or an information disclosure when the connection is immediately closed after an initialization request.

  • Storage queues.
  • Immediate connection closure after request.
  • Service disruption or data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Linux kernel's NVMe/TCP implementation is affected by a race condition that could lead to a double-free vulnerability. This impacts storage infrastructure and potentially platform teams responsible for managing storage fabric. The first action is to identify all instances of the affected Linux kernel versions within your environment, assess their network exposure, and determine business criticality to prioritize remediation efforts.

  • Identify affected systems and owners.
  • Verify NVMe/TCP reachability and impact.
  • Plan coordinated maintenance for remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Linux kernel nvmet-tcp component?

It is a part of the Linux kernel that enables NVMe over TCP, a protocol used to access high-speed storage devices across a network. It acts as a target-side driver, allowing servers to provide storage resources to other systems over standard TCP/IP networking, commonly used in data center environments for scalable storage access.

What does CWE-362 mean for CVE-2026-46135?

CWE-362 refers to a race condition. In this specific vulnerability, the Linux kernel fails to properly synchronize tasks when setting up or tearing down storage connections. Because these processes can overlap, the system may get into an inconsistent state where it attempts to release the same connection resources multiple times, which can lead to system instability or service errors.

How is this race condition triggered?

An attacker triggers this by sending an initialization connection request and immediately closing the connection. If this happens while the system is trying to shut down that same connection, the overlapping actions cause the kernel to mismanage the connection's state. It does not trigger if the connection remains stable or follows standard handshake and closure procedures without this specific timing conflict.

Is my environment at risk from this CVE?

Halo Surface Signal indicates that while NVMe/TCP is often used on internal storage fabrics, it is a network-accessible protocol. Your risk depends on whether your Linux systems are configured to act as NVMe/TCP targets and if those interfaces are reachable from networks where untrusted parties could send malicious connection requests.

What should I do first to address this?

Begin by auditing your infrastructure to identify Linux servers running the affected kernel versions that also have the NVMe/TCP target component enabled. Once you have an inventory of these systems, verify their network placement. Prioritize patching for any systems where storage interfaces are accessible from broader, less-trusted network segments.

References