Description
In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix slab-out-of-bounds access in auth message processing

If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY
contains a positive value in its result field, it is treated as an
error code by ceph_handle_auth_reply() and returned to
handle_auth_reply(). Thereafter, an attempt is made to send the
preallocated message of type CEPH_MSG_AUTH, where the returned value is
interpreted as the size of the front segment to send. If the result
value in the message is greater than the size of the memory buffer
allocated for the front segment, an out-of-bounds access occurs, and
the content of the memory region beyond this buffer is sent out.

This patch fixes the issue by treating only negative values in the
result field as errors. Positive values are therefore treated as success
in the same way as a zero value. Additionally, a BUG_ON is added to
__send_prepared_auth_request() comparing the len parameter to
front_alloc_len to prevent sending the message if it exceeds the bounds
of the allocation and to make it easier to catch any logic flaws leading
to this.
Published: 2026-05-28
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel's libceph module allows an out-of-bounds read during authentication message processing. When a CEPH_MSG_AUTH_REPLY contains a positive result value, the kernel misinterprets it as an error code and later treats it as the size of the front segment when sending a CEPH_MSG_AUTH message. If that value exceeds the allocated buffer, the implementation copies beyond the memory boundary, sending uninitialized or sensitive kernel data. The same path introduces a BUG_ON that can trigger a kernel panic, potentially causing a denial of service.

Affected Systems

All Linux kernel builds that include the libceph module are impacted. The issue is present in every kernel version prior to the commit that fixed the slab-out-of-bounds access; no specific upstream version numbers are delineated in the provided data.

Risk and Exploitability

The CVSS score is not listed, but the vulnerability enables kernel memory disclosure and can lead to a crash, representing a severe security risk. The EPSS metric is not available, so the likelihood of active exploitation remains undetermined. Because the bug resides in core kernel code, any host running a Ceph client or monitor is potentially exposed. The most likely attack vector is a Ceph node or client that can inject a malformed CEPH_MSG_AUTH_REPLY; the attacker need only provoke the kernel to process the crafted message. No CISA KEV listing exists, indicating no known public exploits, though the nature of the flaw suggests that future exploitation could become possible if an attacker can reliably deliver crafted authentication replies.

Generated by OpenCVE AI on May 28, 2026 at 12:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the libceph slab out-of-bounds fix.
  • If immediate kernel upgrade is not feasible, configure firewall or Ceph cluster controls to block untrusted CEPH_MSG_AUTH_REPLY traffic until a patched kernel is deployed.
  • Scrutinize kernel logs for BUG_ON or related kernel warnings that may indicate exploitation attempts.

Generated by OpenCVE AI on May 28, 2026 at 12:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.
Title libceph: Fix slab-out-of-bounds access in auth message processing
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:34.543Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46119

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:27.390

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46119

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T12:30:16Z

Weaknesses