Cover Letter Detail
Show a cover letter.
GET /api/1.1/covers/2220102/?format=api
{ "id": 2220102, "url": "http://patchwork.ozlabs.org/api/1.1/covers/2220102/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/177546945105.885203.15305511673780617858@nexus9.public/", "project": { "id": 15, "url": "http://patchwork.ozlabs.org/api/1.1/projects/15/?format=api", "name": "Ubuntu Kernel", "link_name": "ubuntu-kernel", "list_id": "kernel-team.lists.ubuntu.com", "list_email": "kernel-team@lists.ubuntu.com", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<177546945105.885203.15305511673780617858@nexus9.public>", "date": "2026-04-06T10:51:15", "name": "[SRU,Q/N/J,0/3] CVE-2026-23112", "submitter": { "id": 84024, "url": "http://patchwork.ozlabs.org/api/1.1/people/84024/?format=api", "name": "Cengiz Can", "email": "cengiz.can@canonical.com" }, "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/177546945105.885203.15305511673780617858@nexus9.public/mbox/", "series": [], "comments": "http://patchwork.ozlabs.org/api/covers/2220102/comments/", "headers": { "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=nJ61VzQf;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fq5jn08h1z1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 06 Apr 2026 20:51:40 +1000 (AEST)", "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1w9hYF-0005ui-1u; Mon, 06 Apr 2026 10:51:27 +0000", "from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <cengiz.can@canonical.com>)\n id 1w9hYD-0005uV-Fc\n for kernel-team@lists.ubuntu.com; Mon, 06 Apr 2026 10:51:25 +0000", "from mail-wm1-f69.google.com (mail-wm1-f69.google.com\n [209.85.128.69])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 5F2013F1CC\n for <kernel-team@lists.ubuntu.com>; Mon, 6 Apr 2026 10:51:25 +0000 (UTC)", "by mail-wm1-f69.google.com with SMTP id\n 5b1f17b1804b1-4888c26580dso35521245e9.3\n for <kernel-team@lists.ubuntu.com>; Mon, 06 Apr 2026 03:51:25 -0700 (PDT)", "from localhost ([176.41.26.180]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48899e48daesm87352125e9.16.2026.04.06.03.51.23\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 06 Apr 2026 03:51:23 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775472685;\n bh=2pOuU73ipC1CiX0HIPD/syTEJMd2u16ORvmMLOlUOXk=;\n h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=nJ61VzQf8wEkovY9F2IOeHxR7Zo28HBey0yx4+VJnHrCASUfIKg1h8ZWEujUAZ+KL\n TF3KBrqdELosDI9tp5WF+KuaGe+sX+LBVECCzw2bIPLLKDA8fKlk3XUg/AAp93c8nD\n lCmP1f0Apv/+zdUnw0cdQU0UP75N3eFEa3+1IfE87Y48bx7adj7SY0E2ugBo4aN+09\n XUbmNveB0qhklcDlGWVrV93sfGd+CstX8B7mJ8rOYhSALgsF9+frScv4KmwbgYbNnM\n kpZYfEN1uXAYlCf6NfrNI4uk74mnp0sc5EjkZW89lckSIZEjC59omOmorkavInP2dq\n XDI5hqT9qU7oeqweNb599lWbBjcxnN3qsqcM3LgqPH4EnWFnGTr2QdNYIbLA3ex81A\n fNjCQ9a+n3mRasRTlPj7qqp5R1UYI769QjH5vp+CMF7gRvzdOngq0043VxdgGJEIbz\n HGKlIA4b8DRhnOw6u1AdUVok34+42HgmweKfhWj5zP9WvLD/0uRl1UqMO7wfrQG5Tf\n 6eL1Nq4jQnubKWnp+jzPrg4LpRUIe/jIP4+LyHJLzPAHB5ymWTLbiEwrRlXJfAl1VM\n PVgcJBx46rIS97WlT8bhC7eGM/wFI3Ac9TYgM6J0TsgCo9YL05bKD9PP78o3v+l2Nc\n th+wNYAVrtS0wUhiXuuGs4U8=", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775472685; x=1776077485;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=2pOuU73ipC1CiX0HIPD/syTEJMd2u16ORvmMLOlUOXk=;\n b=I9gfqyVaqD/bTzq9tWBD0cWn3bKv97yWeE20+Ir5XXLbddFMzD3TNZg1fiqwYNkU6f\n e1HETeIJz0CiZVUZ6l+xs+abOqS+Qm9NMf1/Uk725ZMx98nbUyo556PSEfxn4iUKRy+K\n h+iv+7rTl+XLH7+Gfz1flC1pT1WgXr3irn1XzbnuHj5XbYy9HKL2Cg6pFAajHSpjQa2X\n wnSZHzjdyXWx7jKPM/D4T+9JHmIg/EH8rVURXc/P13MZ4QpyuSzOpc7/jHVsqUV3HYVH\n BVs9NDad2GKUUQSlrrVjptW73yu0VJX8g4qdll1eYTtrsC3ztW107d6nZE7w5otdjeAt\n 6wcg==", "X-Gm-Message-State": "AOJu0YzlzxTAoQVMo+Bqex+wTggkp+OPWH4ws112icBOcYHQR8IzJqea\n AxnxvvcbgJTQ9kUOuNQgYESbw6fYUxQ/JA/1u1qSOh7whADDieCfDzrUSHNh1ae6AjTENcEYLE1\n IEkKlg49Wp129hgr7fJmTJLNOctAtStV3I4+q+qa/1DXORjT1Pz3dQDaK/2k52PAnL+9U2G55/e\n FxnsWYTLP3CWBjIg==", "X-Gm-Gg": "AeBDietC2IPbjYNn5FqnCLx85vadlb6zqA906CNm/GAVn73EFoeyq1NF4Z2kCwfOSGr\n Ac+UqFBbJw/wMt4Z51swlJbqI91WRfhGxbNqHEIjvkOj5JCqk01Vg1yOJMjiTqBnom7eG6bicOj\n UnNXHWHP1zPxC0P0dd0kgRRpTmqk3zDBZv+fitvMJqk8384CnBgtyYWLxNDz0+ZaKBaXkN3q2+v\n n/lUdO8qQcG0OrOGLuksjIKCSuh8Aex9TpUZhOOXedxTCH8Ih7Z9xO9h78eSbR4GOBWsSfVSjKQ\n YNz0pQeZOKff2Gf3tliBkkVrDOlGkYTjOy8FuOgAmI3CgrpIO1ZIMN9mbI9Q70PmWiH/1X+0bdy\n RMh5xLXeAi6OarkyYqyiDePA=", "X-Received": [ "by 2002:a05:600c:a4a:b0:488:7f69:4abf with SMTP id\n 5b1f17b1804b1-488997426f9mr178544955e9.12.1775472684644;\n Mon, 06 Apr 2026 03:51:24 -0700 (PDT)", "by 2002:a05:600c:a4a:b0:488:7f69:4abf with SMTP id\n 5b1f17b1804b1-488997426f9mr178544725e9.12.1775472684172;\n Mon, 06 Apr 2026 03:51:24 -0700 (PDT)" ], "From": "Cengiz Can <cengiz.can@canonical.com>", "To": "kernel-team@lists.ubuntu.com", "Subject": "[SRU][Q/N/J][PATCH 0/3] CVE-2026-23112", "Date": "Mon, 6 Apr 2026 13:51:15 +0300", "Message-ID": "<177546945105.885203.15305511673780617858@nexus9.public>", "X-Mailer": "git-send-email 2.43.0", "MIME-Version": "1.0", "X-BeenThere": "kernel-team@lists.ubuntu.com", "X-Mailman-Version": "2.1.20", "Precedence": "list", "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>", "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>", "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>", "List-Post": "<mailto:kernel-team@lists.ubuntu.com>", "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>", "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "base64", "Errors-To": "kernel-team-bounces@lists.ubuntu.com", "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>" }, "content": "https://ubuntu.com/security/CVE-2026-23112\n\n[ Impact ]\n\nnvmet_tcp_build_pdu_iovec() can walk past cmd->req.sg when a PDU length\nor offset exceeds sg_cnt, then use bogus sg->length/offset values leading\nto _copy_to_iter() GPF/KASAN. An attacker with access to the NVMe-TCP\ntarget interface could trigger a kernel crash.\n\n\n[ Fix ]\n\nCherry-picked from mainline for questing and noble. Adjusted for jammy\ndue to older iovec style.\n\n\n[ Test Plan ]\n\nAll three kernels were compile-tested and boot-tested. PoC verification\nconfirmed the vulnerability is no longer triggerable after the fix.\n\n\n[ Where Problems Could Occur ]\n\nIf the bounds checks are incorrect, NVMe-TCP connections could be\nprematurely terminated or the target could become unresponsive. In the\nworst case, a malformed check could still allow out-of-bounds access." }