Description
In the Linux kernel, the following vulnerability has been resolved:

ceph: fix oops due to invalid pointer for kfree() in parse_longname()

This fixes a kernel oops when reading ceph snapshot directories (.snap),
for example by simply running `ls /mnt/my_ceph/.snap`.

The variable str is guarded by __free(kfree), but advanced by one for
skipping the initial '_' in snapshot names. Thus, kfree() is called
with an invalid pointer. This patch removes the need for advancing the
pointer so kfree() is called with correct memory pointer.

Steps to reproduce:

1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase)

2. Add cephfs mount to fstab
$ echo "samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab

3. Reboot the system
$ systemctl reboot

4. Check if it's really mounted
$ mount | grep stuff

5. List snapshots (expected 63 snapshots on my system)
$ ls /mnt/test/stuff/.snap

Now ls hangs forever and the kernel log shows the oops.
Published: 2026-02-14
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel Oops leading to Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability lies in the Linux kernel’s handling of Ceph snapshot directories. When a user lists a .snap directory, the function parse_longname() advances a pointer past an underscore and then calls kfree() on that advanced pointer. Because the pointer is not the original allocation reference, the kernel attempts to free invalid memory, triggering an oops. The crash effectively brings the kernel to a halt, disrupting all processes and requiring a system reboot. No remote code execution or data exfiltration is possible, but the denial of service can be critical for production environments that rely on CephFS.

Affected Systems

Affected systems are Linux kernel builds that include the unpatched parse_longname() code, notably all 6.19 release candidates from rc1 through rc8 and any subsequent kernel versions until the patch is applied. Any kernel that mounts a Ceph filesystem and enumerates its .snap directories is susceptible. The issue manifests during normal operations such as running 'ls /mnt/<ceph_mount>/.snap' or accessing the snapshot list through a Ceph client.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate impact, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Attack requires local access to a machine that can mount the affected CephFS and enumerate snapshots, implying a local threat model rather than remote exploitation. The bug results in a kernel crash rather than privilege escalation or data loss, but the denial of service can have significant operational consequences.

Generated by OpenCVE AI on April 17, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that contains the patch committing the safe free operation (e.g., upgrade to 6.19 rc9 or a later stable release).
  • If an immediate kernel upgrade is not feasible, manually rebuild the kernel with the patch from the referenced commits applied to resolve the invalid kfree call.
  • Until a kernel fix is deployed, avoid commands that list .snap directories or schedule Ceph snapshots on systems that cannot be updated promptly.

Generated by OpenCVE AI on April 17, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6141-1 linux security update
History

Thu, 19 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References

Sat, 14 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`. The variable str is guarded by __free(kfree), but advanced by one for skipping the initial '_' in snapshot names. Thus, kfree() is called with an invalid pointer. This patch removes the need for advancing the pointer so kfree() is called with correct memory pointer. Steps to reproduce: 1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase) 2. Add cephfs mount to fstab $ echo "samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab 3. Reboot the system $ systemctl reboot 4. Check if it's really mounted $ mount | grep stuff 5. List snapshots (expected 63 snapshots on my system) $ ls /mnt/test/stuff/.snap Now ls hangs forever and the kernel log shows the oops.
Title ceph: fix oops due to invalid pointer for kfree() in parse_longname()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-14T16:27:25.693Z

Reserved: 2026-01-13T15:37:45.986Z

Link: CVE-2026-23201

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-14T17:15:57.950

Modified: 2026-03-19T16:35:58.490

Link: CVE-2026-23201

cve-icon Redhat

Severity :

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23201 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:30:15Z

Weaknesses