CVE-2024-46737 in Linux
Summary
by MITRE • 09/18/2024
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: fix kernel crash if commands allocation fails
If the commands allocation fails in nvmet_tcp_alloc_cmds() the kernel crashes in nvmet_tcp_release_queue_work() because of a NULL pointer dereference.
nvmet: failed to install queue 0 cntlid 1 ret 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
Fix the bug by setting queue->nr_cmds to zero in case nvmet_tcp_alloc_cmd() fails.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/05/2026
The vulnerability described in CVE-2024-46737 represents a critical kernel panic condition within the Linux NVMe over TCP subsystem that can lead to complete system crashes. This issue specifically affects the nvmet-tcp driver component responsible for handling NVMe over TCP transport operations in the kernel. The flaw manifests when the kernel attempts to allocate command structures for queue management but fails to properly handle the allocation failure scenario, resulting in a NULL pointer dereference that terminates kernel execution.
The technical root cause of this vulnerability lies in the nvmet_tcp_alloc_cmds() function within the NVMe TCP target implementation. When command allocation fails during queue setup, the system does not properly initialize the queue structure's command count field. This failure occurs in the context of nvmet_tcp_release_queue_work() where the kernel attempts to access a NULL pointer at virtual address 00000008, which corresponds to the queue->nr_cmds field that should have been initialized to zero but remains uninitialized due to the allocation failure path. This represents a classic null pointer dereference pattern that directly maps to CWE-476 Null Pointer Dereference.
The operational impact of this vulnerability extends beyond simple system instability as it can affect any system running Linux kernel versions containing the affected NVMe TCP target code. When a queue allocation fails during NVMe over TCP connection establishment, particularly when the system is under resource pressure or when multiple concurrent connections are attempted, the kernel will immediately crash and reboot. This behavior can be particularly problematic in production environments where NVMe over TCP is used for high-performance storage access, as it can lead to unexpected service interruptions and data accessibility issues. The vulnerability also aligns with ATT&CK technique T1490 for Deception and T1566 for Phishing as it can be exploited to cause denial of service conditions that may be used to disrupt storage services.
The fix implemented addresses the core issue by ensuring proper initialization of queue->nr_cmds to zero whenever nvmet_tcp_alloc_cmd() fails, preventing the subsequent NULL pointer dereference in the cleanup path. This remediation follows standard defensive programming practices and aligns with the principle of fail-safe initialization. The solution directly addresses the memory management error by ensuring that all allocated structures maintain valid state even when allocation operations fail. Organizations should prioritize applying this patch to all systems running affected kernel versions to prevent potential system crashes and maintain storage service availability. The fix also demonstrates proper error handling methodology that should be applied to similar allocation failure scenarios throughout the kernel codebase, particularly in subsystems that manage queue-based I/O operations where resource exhaustion can occur under stress conditions.