CVE-2026-23174 | nvme-pci: handle changing device dma map requirements

In the Linux kernel, the following vulnerability has been resolved: nvme-pci: handle changing device dma map requirements The initial state of dma_needs_unmap may be false, but change to true while mapping the data iterator. Enabling swiotlb is one such case that can change the result. The nvme driver needs to save the mapped dma vectors to be unmapped later, so allocate as needed during iteration rather than assume it was always allocated at the beginning. This fixes a NULL dereference from accessing an uninitialized dma_vecs when the device dma unmapping requirements change mid-iteration.

Published: 2026-02-14 Last update: 2026-04-15 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Deferred，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2026-23174 is rated Low Risk (5.2/100): low exploitation likelihood (EPSS 0.15%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-23174

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.02%	0.15%	+0.14%
2	2026-02-15	—	0.02%	—

Full EPSS history (2 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-23174

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2026-23174

OS Trackers for CVE-2026-23174

vendor	priority	summary	link
`debian`	unimportant	CVE-2026-23174 unimportant priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2026-23174
`redhat`	—	—	https://access.redhat.com/security/cve/CVE-2026-23174
`suse`	medium	CVE-2026-23174 severity moderate: SUSE including 26 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 226 product×package rows across 40 product lines (SUSE Linux Enterprise High Availability Extension 15 SP7, SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, … (40 product lines)): Known Not Affected 226.	https://www.suse.com/security/cve/CVE-2026-23174/
`ubuntu`	medium	CVE-2026-23174 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1256 status rows across 8 suites (bionic, focal, jammy, noble, questing, trusty, upstream, xenial): DNE 871, ignored 165, not-affected 119, released 83, needed 18.	https://ubuntu.com/security/CVE-2026-23174

Affected software / configurations for CVE-2026-23174

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2026-23174

URL	Tags
https://git.kernel.org/stable/c/071be3b0b6575d45be9df9c5b612f5882bfc5e88
https://git.kernel.org/stable/c/f3ed399e9aa6f36e92d2d0fe88b387915e9705fe

cvelogic Threat Intelligence