CVE-2026-23136
Description
In the Linux kernel, the following vulnerability has been resolved:
libceph: reset sparse-read state in osd_fault()
When a fault occurs, the connection is abandoned, reestablished, and any pending operations are retried. The OSD client tracks the progress of a sparse-read reply using a separate state machine, largely independent of the messenger's state.
If a connection is lost mid-payload or the sparse-read state machine returns an error, the sparse-read state is not reset. The OSD client will then interpret the beginning of a new reply as the continuation of the old one. If this makes the sparse-read machinery enter a failure state, it may never recover, producing loops like:
libceph: [0] got 0 extents libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on read libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on read
Therefore, reset the sparse-read state in osd_fault(), ensuring retries start from a clean state.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing sparse-read state reset in the Linux kernel's libceph on OSD fault can cause infinite error loops, leading to denial of service.
Root
Cause
The vulnerability resides in the Linux kernel's Ceph OSD (Object Storage Daemon) client library (libceph). When an OSD connection encounters a fault, the connection is abandoned and reestablished while pending operations are retried. The sparse-read reply state machine—used to handle partial read responses—is maintained independently of the messenger's connection state. The fault handling code in osd_fault() did not reset this sparse-read state, causing it to retain its old, possibly intermediate or error state across reconnections.
##[1]()? This oversight means that after a fault, a new reply may be mis‑interpreted as a continuation of the previous, incomplete reply.
Attack
Vector
The vulnerability can be triggered by an attacker who is able to induce a connection fault between a client and a Ceph OSD while a sparse read is in progress—for example by causing a network disruption or a malicious OSD that terminates the TCP connection mid‑payload. No authentication is required beyond normal Ceph network access. The attack is entirely network‑based and does not require any local privileges on the client machine.
Impact
Successful exploitation leads to an infinite loop where the sparse‑read engine repeatedly fails with log messages such as "got 0 extents" and "data len 142248331 != extent len 0", and each failure triggers another socket error, thus exhausting CPU resources and effectively causing a denial‑of‑service (DoS) condition on the affected client system. The high severity is justified by the DoS impact and the fact that the loop can prevent the client from making further progress on any OSD operations.
Mitigation
This issue has been patched in the Linux kernel stable update that includes commit 10b7c7281036 and related backport commits (references [1] and [2]). All Linux kernel users running Ceph clients are advised to update to a kernel version containing the fix. No workaround is known other than applying the patch or avoiding network conditions that cause OSD faults during sparse reads.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.6,<6.6.121
- cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.