CVE-2026-43407

CRITICAL EPSS 41.2%
Published May 8, 20261mo ago · Modified Jun 17, 20261w ago
9.1 CVSS 3.1
Critical
Find Similar
Published May 8, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation. This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length. Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length. BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262 CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace: <TASK> dump_stack_lvl+0x76/0xa0 print_report+0xd1/0x620 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? kasan_complete_mode_report_info+0x72/0x210 kasan_report+0xe7/0x130 ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] __asan_report_load_n_noabort+0xf/0x20 ceph_handle_auth_reply+0x642/0x7a0 [libceph] mon_dispatch+0x973/0x23d0 [libceph] ? apparmor_socket_recvmsg+0x6b/0xa0 ? __pfx_mon_dispatch+0x10/0x10 [libceph] ? __kasan_check_write+0x14/0x30i ? mutex_unlock+0x7f/0xd0 ? __pfx_mutex_unlock+0x10/0x10 ? __pfx_do_recvmsg+0x10/0x10 [libceph] ceph_con_process_message+0x1f1/0x650 [libceph] process_message+0x1e/0x450 [libceph] ceph_con_v2_try_read+0x2e48/0x6c80 [libceph] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph] ? save_fpregs_to_fpstate+0xb0/0x230 ? raw_spin_rq_unlock+0x17/0xa0 ? finish_task_switch.isra.0+0x13b/0x760 ? __switch_to+0x385/0xda0 ? __kasan_check_write+0x14/0x30 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 ceph_con_workfn+0x248/0x10c0 [libceph] process_one_work+0x629/0xf80 ? __kasan_check_write+0x14/0x30 worker_thread+0x87f/0x1570 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx_try_to_wake_up+0x10/0x10 ? kasan_print_address_stack_frame+0x1f7/0x280 ? __pfx_worker_thread+0x10/0x10 kthread+0x396/0x830 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? __pfx_kthread+0x10/0x10 ? __kasan_check_write+0x14/0x30 ? recalc_sigpending+0x180/0x210 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x3f7/0x610 ? __pfx_ret_from_fork+0x10/0x10 ? __switch_to+0x385/0xda0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> [ idryomov: replace if statements with ceph_decode_need() for payload_len and result_msg_len ]

CVSS Details

Base Score
9.1
Exploitability
3.9
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
41.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 17

VendorProductVersionRange
linuxlinux_kernel*≥2.6.34.1  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.78
linuxlinux_kernel*≥6.13  –  <6.18.19
linuxlinux_kernel*≥6.19  –  <6.19.9
linuxlinux_kernel2.6.34any
linuxlinux_kernel2.6.34any
linuxlinux_kernel2.6.34any
linuxlinux_kernel2.6.34any
linuxlinux_kernel2.6.34any
linuxlinux_kernel2.6.34any
linuxlinux_kernel2.6.34any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/6cee34d6669fe176b4259131adb1a145c939b472
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8bb87547e92dcf0928ed763c60e0ac8d733c3656
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9f9e2297f45fc2d2524eb104c289d69ddef95665
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b282c43ed156ae15ea76748fc15cd5c39dc9ab72
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ea080b21092590122c3f971cf588932cdbf47847
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ed024d2f4c79c0eb2464df0fb640610ac301f9a0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/edc678e5cd11730a2834b43071d8923f05bc334d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f9da5c1bbac5c8e33259fe00ed7347438fffa969
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/6cee34d6669fe176b4259131adb1a145c939b472
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8bb87547e92dcf0928ed763c60e0ac8d733c3656
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9f9e2297f45fc2d2524eb104c289d69ddef95665
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b282c43ed156ae15ea76748fc15cd5c39dc9ab72
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ea080b21092590122c3f971cf588932cdbf47847
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ed024d2f4c79c0eb2464df0fb640610ac301f9a0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/edc678e5cd11730a2834b43071d8923f05bc334d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f9da5c1bbac5c8e33259fe00ed7347438fffa969
    Patch