Description
In the Linux kernel, the following vulnerability has been resolved:

libceph: prevent potential out-of-bounds reads in handle_auth_done()

Perform an explicit bounds check on payload_len to avoid a possible
out-of-bounds access in the callout.

[ idryomov: changelog ]
Published: 2026-01-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

In the Linux kernel, a missing bounds check in the libceph component’s handle_auth_done() function allows an out-of-bounds read of kernel memory. The flaw could enable an attacker to read data beyond the intended buffer, potentially exposing sensitive kernel data or causing a kernel crash. This is a classic out-of-bounds read weakness classified as CWE-125.

Affected Systems

The vulnerability affects all Linux kernel releases that include the libceph module and have not yet incorporated the patch, including kernel version 6.19 through release candidates rc1–rc4. Any earlier kernels that ship the unpatched libceph component are also potentially impacted. Systems that load libceph to process Ceph authentication are thus the ones that would be affected.

Risk and Exploitability

The CVSS score of 7.1 reflects a moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation at this time, and the vulnerability is not listed in CISA KEV. The attack would need to influence how Ceph authentication payloads are handled, suggesting a local or privileged code path; this inference comes from the requirement to feed crafted payloads to the kernel. No public exploit has been observed, so the current risk is mostly theoretical.

Generated by OpenCVE AI on April 18, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the libceph handle_auth_done() bounds-check patch.
  • If an immediate kernel upgrade cannot be performed, unload or disable the libceph module to prevent Ceph handling by the kernel until a patch is available.
  • Monitor system logs for anomalous kernel memory reads or crashes that might indicate exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8096-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-4 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-5 Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Ubuntu USN Ubuntu USN USN-8116-1 Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8141-1 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-2 Linux kernel (Azure) vulnerabilities
History

Thu, 26 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Sat, 24 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

threat_severity

Moderate

Fri, 23 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ]
Title libceph: prevent potential out-of-bounds reads in handle_auth_done()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:36:34.605Z

Reserved: 2026-01-13T15:37:45.936Z

Link: CVE-2026-22984

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T16:15:54.440

Modified: 2026-02-26T18:48:45.403

Link: CVE-2026-22984

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-23T00:00:00Z

Links: CVE-2026-22984 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:15:03Z

Weaknesses