CVE-2026-4652

CVE-2026-4652: Remote denial of service via null pointer dereference

Vendor Freebsd
Product FreeBSD
Weakness CWE-476
Published March 26, 2026
Last update March 26, 2026

CVSS base score

What the vulnerability does

01Description

On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID. An attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine.

Key dates

02Disclosure timeline

March 26, 2026 CVE published
March 26, 2026 Record updated