A vulnerability has been discovered in the Linux subsystem known as nvmet-tcp (Nvme-of/tcp), which is designed to communicate with NVMe drives through the TCP protocol over a network connection. The vulnerability, revealed through a series of bug reports, could potentially allow an attacker to remotely execute arbitrary code at the kernel level or, in the case of local access, elevate their privileges in the system.
The vulnerability affects systems with an activated NVME-OF/TCP server (NVME_TARGET_TCP) and is present in the very first version of the NVME-OF/TCP driver. By default, the server accepts connections on network port 4420.
The vulnerability is caused by a logical error that results in a call to the function nvmet_tcp_free_crypto twice. This leads to the double freeing of certain resources and the selection of already released addresses. Such abnormal behavior can result in the use of memory after its release (USE-AFTER-FREE) and the double freeing of memory when processing a specially designed client message by the NVMe-OF/TCP server. It is important to note that the client can be present in both the local and global network.