Description
In the Linux kernel, the following vulnerability has been resolved:

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both
protocol and result, this is currently not treated as an error. In case
of ac->negotiating == true and ac->protocol > 0, this leads to setting
ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for
ac->protocol != protocol returns false, and init_protocol() is not
called. Subsequently, ac->ops->handle_reply() is called, which leads to
a null pointer dereference, because ac->ops is still NULL.

This patch changes the check for ac->protocol != protocol to
!ac->protocol, as this also includes the case when the protocol was set
to zero in the message. This causes the message to be treated as
containing a bad auth protocol.
Published: 2026-05-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null‑pointer dereference (CWE-1287) occurs in the Linux kernel’s Ceph client stack when a CEPH_MSG_AUTH_REPLY message contains zero values for both protocol and result during an active negotiation. The code erroneously clears the protocol, sets ops to NULL, skips protocol initialization, and later calls ac->ops->handle_reply(), leading to a kernel crash. This flaw is an incorrect security check that, when triggered, results in a denial of service caused by a kernel panic.

Affected Systems

The flaw affects Linux kernel variants that include the Ceph client subsystem. No specific kernel version is listed, so any release shipping the vulnerable code path prior to the patch may be impacted. Generic distributions with the default stock kernel are therefore potentially exposed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity for this kernel null‑pointer dereference. The EPSS score is < 1%, showing a very low exploitation probability, and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that an attacker can trigger the flaw by sending a crafted CEPH_MSG_AUTH_REPLY message over the network from a Ceph client or manager. The risk remains significant until the patch is applied, as it can lead to an immediate kernel crash.

Generated by OpenCVE AI on May 30, 2026 at 12:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a recent release that includes the patch (commit 016bc663 or later).
  • If a kernel update cannot be applied immediately, block or limit Ceph client traffic from untrusted hosts using firewall rules or network segmentation to prevent the crafted authentication reply messages.
  • Monitor system logs, dmesg, and kernel dumps for signs of panics or oopses related to Ceph authentication and apply the patch as soon as possible.

Generated by OpenCVE AI on May 30, 2026 at 12:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc7:*:*:*:*:*:*

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 28 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both protocol and result, this is currently not treated as an error. In case of ac->negotiating == true and ac->protocol > 0, this leads to setting ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for ac->protocol != protocol returns false, and init_protocol() is not called. Subsequently, ac->ops->handle_reply() is called, which leads to a null pointer dereference, because ac->ops is still NULL. This patch changes the check for ac->protocol != protocol to !ac->protocol, as this also includes the case when the protocol was set to zero in the message. This causes the message to be treated as containing a bad auth protocol.
Title libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:48:45.491Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46024

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:20.890

Modified: 2026-06-16T15:55:09.843

Link: CVE-2026-46024

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46024 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T12:45:23Z

Weaknesses
  • CWE-1287

    Improper Validation of Specified Type of Input

  • CWE-476

    NULL Pointer Dereference