Description
In the Linux kernel, the following vulnerability has been resolved:

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both
protocol and result, this is currently not treated as an error. In case
of ac->negotiating == true and ac->protocol > 0, this leads to setting
ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for
ac->protocol != protocol returns false, and init_protocol() is not
called. Subsequently, ac->ops->handle_reply() is called, which leads to
a null pointer dereference, because ac->ops is still NULL.

This patch changes the check for ac->protocol != protocol to
!ac->protocol, as this also includes the case when the protocol was set
to zero in the message. This causes the message to be treated as
containing a bad auth protocol.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a null-pointer dereference that occurs in the Linux kernel’s Ceph client stack. When an authentication reply message containing zero values for both protocol and result arrives while negotiation is active, the code clears the protocol field and sets the ops pointer to NULL. It then skips protocol initialization and later attempts to call ac->ops->handle_reply(), dereferencing a NULL pointer. This can crash the kernel, leading to denial of service or privilege escalation if an attacker can trigger the vulnerability.

Affected Systems

Affected systems are Linux kernel implementations that include the Ceph client stack. The specific kernel versions impacted are not listed in the advisory, and the vulnerability is considered a kernel-level flaw that may affect generic distributions that ship the stock kernel. Any system running the vulnerable Ceph code path before the patch is susceptible.

Risk and Exploitability

The CVSS score is not provided, but the nature of a kernel null‑pointer dereference generally implies high severity. The EPSS score is unavailable and the issue is not listed in CISA KEV. Attackers could trigger the flaw over the network by sending a crafted CEPH_MSG_AUTH_REPLY message from a Ceph client or manager. No authentication assumptions are required beyond establishing an authentication negotiation. The risk remains high until the patch is deployed.

Generated by OpenCVE AI on May 27, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the patch (commit 016bc663 or later).
  • If a kernel update is not possible immediately, restrict Ceph client traffic from untrusted hosts by firewall or network segmentation.
  • Monitor kernel logs for crashes related to Ceph authentication and investigate any relevant oopses.

Generated by OpenCVE AI on May 27, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both protocol and result, this is currently not treated as an error. In case of ac->negotiating == true and ac->protocol > 0, this leads to setting ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for ac->protocol != protocol returns false, and init_protocol() is not called. Subsequently, ac->ops->handle_reply() is called, which leads to a null pointer dereference, because ac->ops is still NULL. This patch changes the check for ac->protocol != protocol to !ac->protocol, as this also includes the case when the protocol was set to zero in the message. This causes the message to be treated as containing a bad auth protocol.
Title libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:56:29.932Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46024

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:20.890

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T20:30:40Z

Weaknesses