CVE-2026-23189 - Vulnerability Details

- ceph: fix NULL pointer dereference in ceph_mds_auth_match()

Description

In the Linux kernel, the following vulnerability has been resolved:

ceph: fix NULL pointer dereference in ceph_mds_auth_match()

The CephFS kernel client has regression starting from 6.18-rc1.
We have issue in ceph_mds_auth_match() if fs_name == NULL:

const char fs_name = mdsc->fsc->mount_options->mds_namespace;
...
if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {
/ fsname mismatch, try next one */
return 0;
}

Patrick Donnelly suggested that: In summary, we should definitely start
decoding `fs_name` from the MDSMap and do strict authorizations checks
against it. Note that the `-o mds_namespace=foo` should only be used for
selecting the file system to mount and nothing else. It's possible
no mds_namespace is specified but the kernel will mount the only
file system that exists which may have name "foo".

This patch reworks ceph_mdsmap_decode() and namespace_equals() with
the goal of supporting the suggested concept. Now struct ceph_mdsmap
contains m_fs_name field that receives copy of extracted FS name
by ceph_extract_encoded_string(). For the case of "old" CephFS file
systems, it is used "cephfs" name.

[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),
get rid of a series of strlen() calls in ceph_namespace_match(),
drop changes to namespace_equals() body to avoid treating empty
mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap()
as namespace_equals() isn't an equivalent substitution there ]

Published: 2026-02-14

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a NULL pointer dereference in the CephFS kernel client, triggered when the authentication match function receives a NULL filesystem name. This causes an unintended kernel crash that results in a system reboot, disrupting availability. The weakness corresponds to CWE‑476.

Affected Systems

Affected servers run the Linux kernel, specifically versions 6.18 and later, including the 6.19 release candidates through rc8. The regression was introduced starting at 6.18‑rc1 and continues through each subsequent release until the patch is applied.

Risk and Exploitability

The CVSS score is 5.5, indicating medium severity, and the EPSS score is below 1 %, suggesting a low probability of exploitation at present. The vulnerability is not listed in CISA's KEV catalog. The most likely attack vector involves a local or remote user interacting with the CephFS module – for example, mounting a Ceph filesystem with an improperly specified namespace – which can trigger the code path leading to the crash.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`07640d34a781bb2e39020a39137073c03c4aa932`	affected	< c6f8326f26bd20d648d9a55afd68148d1b6afe28
`22c73d52a6d05c5a2053385c0d6cd9984732799d`	affected	< 57b36ffc8881dd455d875f85c105901974af2130
`22c73d52a6d05c5a2053385c0d6cd9984732799d`	affected	< 7987cce375ac8ce98e170a77aa2399f2cf6eb99f
`ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523`	affected	—

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.12.70`	unaffected	≤ 6.12.*
`6.18.10`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc8::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

—

Version	Status	Scheme	Platform
`[07640d34a781bb2e39020a39137073c03c4aa932,c6f8326f26bd20d648d9a55afd68148d1b6afe28)`	affected	code_commit	—
`[22c73d52a6d05c5a2053385c0d6cd9984732799d,57b36ffc8881dd455d875f85c105901974af2130)`	affected	code_commit	—
`[22c73d52a6d05c5a2053385c0d6cd9984732799d,7987cce375ac8ce98e170a77aa2399f2cf6eb99f)`	affected	code_commit	—
`ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523`	affected	code_commit	—

Linux

Linux Kernel

—

Version	Status	Scheme	Platform
`6.18`	affected	semver	—
`[0,6.18)`	unaffected	semver	—
`[6.12.70,6.13.0)`	unaffected	semver	—
`[6.18.10,6.19.0)`	unaffected	semver	—
`[6.19,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel version that includes the CephFS patch (6.18‑rc1 onward), or backport the fix to the current kernel.
Reboot the system after updating to ensure the kernel change takes effect.
If an update cannot be performed immediately, avoid mounting CephFS or restrict access to CephF clients until the patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6141-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/57b36ffc8881dd455d875f85c105901974af2130
https://git.kernel.org/stable/c/7987cce375ac8ce98e170a77aa2399f2cf6eb99f
https://git.kernel.org/stable/c/c6f8326f26bd20d648d9a55afd68148d1b6afe28
https://lore.kernel.org/linux-cve-announce/2026021432-CVE-2026-23189-3d9f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23189
https://www.cve.org/CVERecord?id=CVE-2026-23189

History

Wed, 18 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
CPEs		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc7:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc8::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Tue, 17 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026021432-CVE-2026-23189-3d9f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23189 https://www.cve.org/CVERecord?id=CVE-2026-23189

Sat, 14 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ceph: fix NULL pointer dereference in ceph_mds_auth_match() The CephFS kernel client has regression starting from 6.18-rc1. We have issue in ceph_mds_auth_match() if fs_name == NULL: const char fs_name = mdsc->fsc->mount_options->mds_namespace; ... if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) { / fsname mismatch, try next one / return 0; } Patrick Donnelly suggested that: In summary, we should definitely start decoding `fs_name` from the MDSMap and do strict authorizations checks against it. Note that the `-o mds_namespace=foo` should only be used for selecting the file system to mount and nothing else. It's possible no mds_namespace is specified but the kernel will mount the only file system that exists which may have name "foo". This patch reworks ceph_mdsmap_decode() and namespace_equals() with the goal of supporting the suggested concept. Now struct ceph_mdsmap contains m_fs_name field that receives copy of extracted FS name by ceph_extract_encoded_string(). For the case of "old" CephFS file systems, it is used "cephfs" name. [ idryomov: replace redundant %pE with %s in ceph_mdsmap_decode(), get rid of a series of strlen() calls in ceph_namespace_match(), drop changes to namespace_equals() body to avoid treating empty mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap() as namespace_equals() isn't an equivalent substitution there ]
Title		ceph: fix NULL pointer dereference in ceph_mds_auth_match()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/57b36ffc8881dd455d875f85c105901974af2130 https://git.kernel.org/stable/c/7987cce375ac8ce98e170a77aa2399f2cf6eb99f https://git.kernel.org/stable/c/c6f8326f26bd20d648d9a55afd68148d1b6afe28

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-14T16:27:17.549Z

Updated: 2026-02-14T16:27:17.549Z

Reserved: 2026-01-13T15:37:45.985Z

Link: CVE-2026-23189

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-02-14T17:15:56.703

Modified: 2026-03-18T17:18:58.633

Link: CVE-2026-23189

Redhat

Severity :

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23189 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T19:30:15Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object