CVE-2026-22992 - Vulnerability Details

- libceph: return the handler error from mon_handle_auth_done()

Description

In the Linux kernel, the following vulnerability has been resolved:

libceph: return the handler error from mon_handle_auth_done()

Currently any error from ceph_auth_handle_reply_done() is propagated
via finish_auth() but isn't returned from mon_handle_auth_done(). This
results in higher layers learning that (despite the monitor considering
us to be successfully authenticated) something went wrong in the
authentication phase and reacting accordingly, but msgr2 still trying
to proceed with establishing the session in the background. In the
case of secure mode this can trigger a WARN in setup_crypto() and later
lead to a NULL pointer dereference inside of prepare_auth_signature().

Published: 2026-01-23

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux kernel’s Ceph client authentication path. The function mon_handle_auth_done() fails to forward an error returned by ceph_auth_handle_reply_done(), causing the kernel to believe the monitor authentication succeeded while an error actually occurred. In secure mode this mismatch can trigger a warning during setup_crypto() and ultimately lead to a NULL pointer dereference in prepare_auth_signature(), which may cause a kernel panic and result in a denial of service.

Affected Systems

Systems running Linux kernels that contain the Ceph client module are affected. The general linux:linux_kernel CPE list, together with the specific 6.19 release candidates rc1 through rc4, indicates that those kernel versions are vulnerable. Any machine running a Linux kernel that incorporates Ceph—either as a compiled-in module or as a loadable module—falls within the scope of this vulnerability.

Risk and Exploitability

The CVSS score of 5.5 reflects moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require an attacker to influence the authentication exchange between a Ceph monitor and client, most plausibly by manipulating traffic on the network. The impact is therefore a potential kernel crash leading to a denial of service, rather than remote code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< 77229551f2cf72f3e35636db68e6a825b912cf16
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< 33908769248b38a5e77cf9292817bb28e641992d
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< e097cd858196b1914309e7e3d79b4fa79383754d
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< d2c4a5f6996683f287f3851ef5412797042de7f1
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< 9e0101e57534ef0e7578dd09608a6106736b82e5
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< e84b48d31b5008932c0a0902982809fbaa1d3b70

Linux

affected

Version	Status	Constraints
`5.11`	affected	—
`0`	unaffected	< 5.11
`5.15.198`	unaffected	≤ 5.15.*
`6.1.161`	unaffected	≤ 6.1.*
`6.6.121`	unaffected	≤ 6.6.*
`6.12.66`	unaffected	≤ 6.12.*
`6.18.6`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Based on the description, the fix that resolves this issue has been merged into the kernel; upgrading to a Linux kernel release that contains the libceph authentication patch—such releases should be available after the 6.19 rc4 cycle—will remediate the vulnerability.
If a kernel upgrade cannot be performed immediately, disable Ceph secure mode or restrict Ceph traffic to trusted hosts so that the crash‑prone code path is not exercised during the vulnerability window.
Monitor kernel logs (for example, dmesg or journalctl) for WARN entries from setup_crypto() or messages indicating a NULL pointer dereference; be prepared to reboot or restart affected services if such events occur.

Generated by OpenCVE AI on April 18, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4476-1	linux-6.1 security update
Debian DSA	DSA-6126-1	linux security update
Debian DSA	DSA-6127-1	linux security update
Ubuntu USN	USN-8096-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8096-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8096-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8096-4	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8096-5	Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Ubuntu USN	USN-8116-1	Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN	USN-8141-1	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8163-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8163-2	Linux kernel (Azure) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d
https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16
https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5
https://git.kernel.org/stable/c/d2c4a5f6996683f287f3851ef5412797042de7f1
https://git.kernel.org/stable/c/e097cd858196b1914309e7e3d79b4fa79383754d
https://git.kernel.org/stable/c/e84b48d31b5008932c0a0902982809fbaa1d3b70
https://lore.kernel.org/linux-cve-announce/2026012351-CVE-2026-22992-0607@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-22992
https://www.cve.org/CVERecord?id=CVE-2026-22992

History

Thu, 26 Feb 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
CPEs		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 24 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026012351-CVE-2026-22992-0607@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-22992 https://www.cve.org/CVERecord?id=CVE-2026-22992
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 23 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to be successfully authenticated) something went wrong in the authentication phase and reacting accordingly, but msgr2 still trying to proceed with establishing the session in the background. In the case of secure mode this can trigger a WARN in setup_crypto() and later lead to a NULL pointer dereference inside of prepare_auth_signature().
Title		libceph: return the handler error from mon_handle_auth_done()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16 https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5 https://git.kernel.org/stable/c/d2c4a5f6996683f287f3851ef5412797042de7f1 https://git.kernel.org/stable/c/e097cd858196b1914309e7e3d79b4fa79383754d https://git.kernel.org/stable/c/e84b48d31b5008932c0a0902982809fbaa1d3b70

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-01-23T15:24:12.993Z

Updated: 2026-02-09T08:36:43.404Z

Reserved: 2026-01-13T15:37:45.937Z

Link: CVE-2026-22992

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-01-23T16:15:55.290

Modified: 2026-02-26T18:47:46.900

Link: CVE-2026-22992

Redhat

Severity : Moderate

Publid Date: 2026-01-23T00:00:00Z

Links: CVE-2026-22992 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object