CVE-2026-22991 - Vulnerability Details

- libceph: make free_choose_arg_map() resilient to partial allocation

Description

In the Linux kernel, the following vulnerability has been resolved:

libceph: make free_choose_arg_map() resilient to partial allocation

free_choose_arg_map() may dereference a NULL pointer if its caller fails
after a partial allocation.

For example, in decode_choose_args(), if allocation of arg_map->args
fails, execution jumps to the fail label and free_choose_arg_map() is
called. Since arg_map->size is updated to a non-zero value before memory
allocation, free_choose_arg_map() will iterate over arg_map->args and
dereference a NULL pointer.

To prevent this potential NULL pointer dereference and make
free_choose_arg_map() more resilient, add checks for pointers before
iterating.

Published: 2026-01-23

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the free_choose_arg_map() function in the Linux kernel’s libceph subsystem. When the allocation of arg_map->args fails, the caller can still set arg_map->size to a non‑zero value and then jump to the failure path. During cleanup, free_choose_arg_map() iterates over arg_map->args and dereferences a NULL pointer, which triggers a kernel fault. This manifests as a system crash and therefore results in a denial of service. The weakness is a classic NULL pointer dereference (CWE‑476).

Affected Systems

All builds of the Linux Kernel that include the vulnerable libceph code are affected, specifically the 6.19 release candidates (rc1 through rc4) and any kernel versions derived from them before the patch was backported. Upgrading to a later release that contains the fix removes the vulnerability.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% shows that this issue is considered unlikely to be exploited in the near term. It is not listed in the CISA KEV catalog, meaning no known widespread exploitation has been observed. The attack would likely require the ability to trigger the partial allocation failure path in the Ceph subsystem, which may be achieved locally by interacting with a Ceph client or potentially remotely if the Ceph interface is exposed. Based on the description, the attack vector is inferred to involve inducing a failure in decode_choose_args(), leading to the null dereference and subsequent crash.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5cf9c4a9959b6273675310d14a834ef14fbca37c`	affected	< 9b3730dabcf3764bfe3ff07caf55e641a0b45234
`5cf9c4a9959b6273675310d14a834ef14fbca37c`	affected	< 851241d3f78a5505224dc21c03d8692f530256b4
`5cf9c4a9959b6273675310d14a834ef14fbca37c`	affected	< ec1850f663da64842614c86b20fe734be070c2ba
`5cf9c4a9959b6273675310d14a834ef14fbca37c`	affected	< 8081faaf089db5280c3be820948469f7c58ef8dd
`5cf9c4a9959b6273675310d14a834ef14fbca37c`	affected	< c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf
`5cf9c4a9959b6273675310d14a834ef14fbca37c`	affected	< f21c3fdb96833aac2f533506899fe38c19cf49d5
`5cf9c4a9959b6273675310d14a834ef14fbca37c`	affected	< e3fe30e57649c551757a02e1cad073c47e1e075e

Linux

affected

Version	Status	Constraints
`4.13`	affected	—
`0`	unaffected	< 4.13
`5.10.248`	unaffected	≤ 5.10.*
`5.15.198`	unaffected	≤ 5.15.*
`6.1.161`	unaffected	≤ 6.1.*
`6.6.121`	unaffected	≤ 6.6.*
`6.12.66`	unaffected	≤ 6.12.*
`6.18.6`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a patched version such as any later release that includes the fixed free_choose_arg_map() function.
If an immediate kernel upgrade is not possible, backport the commit that adds NULL pointer checks to free_choose_arg_map() from the upstream repository.
Monitor system logs for kernel oops entries related to libceph and consider disabling or sandboxing Ceph mounts until a patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 15:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4475-1	linux security update
Debian DLA	DLA-4476-1	linux-6.1 security update
Debian DSA	DSA-6126-1	linux security update
Debian DSA	DSA-6127-1	linux security update
Ubuntu USN	USN-8096-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8096-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8096-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8096-4	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8096-5	Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Ubuntu USN	USN-8116-1	Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN	USN-8141-1	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8163-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8163-2	Linux kernel (Azure) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd
https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4
https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234
https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf
https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e
https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba
https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5
https://lore.kernel.org/linux-cve-announce/2026012351-CVE-2026-22991-e4a2@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-22991
https://www.cve.org/CVERecord?id=CVE-2026-22991

History

Thu, 26 Feb 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
CPEs		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 24 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026012351-CVE-2026-22991-e4a2@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-22991 https://www.cve.org/CVERecord?id=CVE-2026-22991
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 23 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating.
Title		libceph: make free_choose_arg_map() resilient to partial allocation
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4 https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234 https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-01-23T15:24:12.191Z

Updated: 2026-02-09T08:36:42.415Z

Reserved: 2026-01-13T15:37:45.937Z

Link: CVE-2026-22991

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-01-23T16:15:55.183

Modified: 2026-02-26T18:50:48.817

Link: CVE-2026-22991

Redhat

Severity : Moderate

Publid Date: 2026-01-23T00:00:00Z

Links: CVE-2026-22991 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T15:15:03Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object