AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2023-52454: In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: Fix a kernel panic when host sends an in

mediumvulnerability

security

Source: NVD/CVE DatabaseFebruary 23, 2024CVE-2023-52454

Summary

A bug in the Linux kernel's NVMe over TCP (nvmet-tcp, a protocol for storage communication) can cause a kernel panic (system crash) when a host computer sends an H2CData command with an invalid DATAL (data length) value. The crash happens in the nvmet_tcp_build_pdu_iovec() function, which processes incoming network packets.

Solution / Mitigation

Fix the bug by raising a fatal error if DATAL isn't coherent with the packet size. Additionally, the PDU (protocol data unit, the structure holding network data) length should never exceed the MAXH2CDATA parameter that was communicated to the host in nvmet_tcp_handle_icreq().

Vulnerability Details

CVSS Score

5.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-476

Original source: https://nvd.nist.gov/vuln/detail/CVE-2023-52454

First tracked: February 15, 2026 at 08:52 PM

Classified by LLM (prompt v3) · confidence: 95%