Description
In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix slab-out-of-bounds access in auth message processing

If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY
contains a positive value in its result field, it is treated as an
error code by ceph_handle_auth_reply() and returned to
handle_auth_reply(). Thereafter, an attempt is made to send the
preallocated message of type CEPH_MSG_AUTH, where the returned value is
interpreted as the size of the front segment to send. If the result
value in the message is greater than the size of the memory buffer
allocated for the front segment, an out-of-bounds access occurs, and
the content of the memory region beyond this buffer is sent out.

This patch fixes the issue by treating only negative values in the
result field as errors. Positive values are therefore treated as success
in the same way as a zero value. Additionally, a BUG_ON is added to
__send_prepared_auth_request() comparing the len parameter to
front_alloc_len to prevent sending the message if it exceeds the bounds
of the allocation and to make it easier to catch any logic flaws leading
to this.
Published: 2026-05-28
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel’s libceph module, a slab-out-of-bounds access can be triggered when a CEPH_MSG_AUTH_REPLY contains a positive result value. The kernel mistakenly treats that value as the size of the front segment for a subsequent CEPH_MSG_AUTH message and copies data beyond the allocated buffer, thereby leaking kernel memory contents to the network. This flaw is related to the weakness CWE-131 (Incorrect Calculation or Use of Buffer Size). The patch adds logic to treat only negative result values as errors and includes a BUG_ON that guards against sending a message whose calculated size exceeds the buffer. Based on the description, it is inferred that an attacker can inject a malicious CEPH_MSG_AUTH_REPLY along the Ceph data path to craft the out-of-bounds read and potentially trigger a kernel panic via the BUG_ON.

Affected Systems

All Linux kernel builds that include the libceph module and that have not yet incorporated the commit implementing this out-of-bounds protection are affected. The vulnerability applies to every kernel version prior to the patch, regardless of kernel configuration, as long as libceph is compiled into the kernel.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation in the near term, and the flaw is not listed in the CISA KEV catalog. Nevertheless, the weakness enables kernel memory disclosure and could lead to a denial‑of‑service via a BUG_ON panic. The most likely attack vector is a malicious Ceph client or monitor that can inject a crafted CEPH_MSG_AUTH_REPLY message; the attacker only needs to provoke the kernel to process the message. No public exploits have been documented, but the nature of the flaw makes future exploitation possible if a trusted Ceph component is compromised.

Generated by OpenCVE AI on May 30, 2026 at 13:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the libceph slab-out-of-bounds fix.
  • If immediate kernel upgrade is not feasible, configure network controls to block untrusted CEPH traffic from sources that are not formally authorized as Ceph nodes or monitors.
  • Enable kernel logging and monitor for BUG_ON warnings or unusual CEPH message handling errors, and investigate any incidents as a potential exploitation attempt.

Generated by OpenCVE AI on May 30, 2026 at 13:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Fri, 29 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.
Title libceph: Fix slab-out-of-bounds access in auth message processing
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:55:49.923Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46119

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:27.390

Modified: 2026-06-01T17:17:24.953

Link: CVE-2026-46119

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46119 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:15:24Z

Weaknesses
  • CWE-131

    Incorrect Calculation of Buffer Size