VYPR
← All advisories
Critical severity9.1NVD Advisory· Published May 8, 2026· Updated May 12, 2026

CVE-2026-43407

CVE-2026-43407

Description

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()

This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation.

This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length.

Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length.

BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262

CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace: <TASK> dump_stack_lvl+0x76/0xa0 print_report+0xd1/0x620 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? kasan_complete_mode_report_info+0x72/0x210 kasan_report+0xe7/0x130 ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] __asan_report_load_n_noabort+0xf/0x20 ceph_handle_auth_reply+0x642/0x7a0 [libceph] mon_dispatch+0x973/0x23d0 [libceph] ? apparmor_socket_recvmsg+0x6b/0xa0 ? __pfx_mon_dispatch+0x10/0x10 [libceph] ? __kasan_check_write+0x14/0x30i ? mutex_unlock+0x7f/0xd0 ? __pfx_mutex_unlock+0x10/0x10 ? __pfx_do_recvmsg+0x10/0x10 [libceph] ceph_con_process_message+0x1f1/0x650 [libceph] process_message+0x1e/0x450 [libceph] ceph_con_v2_try_read+0x2e48/0x6c80 [libceph] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph] ? save_fpregs_to_fpstate+0xb0/0x230 ? raw_spin_rq_unlock+0x17/0xa0 ? finish_task_switch.isra.0+0x13b/0x760 ? __switch_to+0x385/0xda0 ? __kasan_check_write+0x14/0x30 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 ceph_con_workfn+0x248/0x10c0 [libceph] process_one_work+0x629/0xf80 ? __kasan_check_write+0x14/0x30 worker_thread+0x87f/0x1570 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx_try_to_wake_up+0x10/0x10 ? kasan_print_address_stack_frame+0x1f7/0x280 ? __pfx_worker_thread+0x10/0x10 kthread+0x396/0x830 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? __pfx_kthread+0x10/0x10 ? __kasan_check_write+0x14/0x30 ? recalc_sigpending+0x180/0x210 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x3f7/0x610 ? __pfx_ret_from_fork+0x10/0x10 ? __switch_to+0x385/0xda0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>

[ idryomov: replace if statements with ceph_decode_need() for payload_len and result_msg_len ]

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer overflow in ceph_handle_auth_reply() allows remote attackers to trigger out-of-bounds memory access via crafted auth reply messages.

Vulnerability

Analysis

CVE-2026-43407 is a critical vulnerability in the Linux kernel's Ceph file system (libceph) that allows remote attackers to cause out-of-bounds memory access. The bug resides in the ceph_handle_auth_reply() function, which processes authentication reply messages of type CEPH_MSG_AUTH_REPLY. The payload_len field is stored as an int, but a crafted message can set this field to a value greater than INT_MAX, causing an integer overflow that interprets it as a negative number. This negative value leads to pointer arithmetic that decrements the buffer pointer and subsequently accesses memory out of the allocated region [1].

Exploitation

The attack vector is remote; an attacker can send a specially crafted CEPH_MSG_AUTH_REPLY message to a system running a vulnerable kernel. No authentication is required to trigger the vulnerability, as the message is processed during the initial handshake phase. The vulnerable function is called within the Ceph messenger workqueue (ceph_con_workfn), making it reachable from the network. The out-of-bounds read is triggered when ceph_decode_need() only verifies that the memory access does not exceed the end of the allocation, but does not check for underflow [1].

Impact

Successful exploitation allows an attacker to read memory beyond the allocated buffer, leading to a kernel crash (denial of service) or potential information disclosure. The KASAN report confirms a slab-out-of-bounds read of size 4, which could expose sensitive kernel data. Given the critical severity (CVSS 9.1) and the remote unauthenticated nature, this vulnerability poses a significant risk to systems running Ceph.

Mitigation

The fix was committed to the Linux kernel stable repository. The patch changes the data type of payload_len and result_msg_len from int to u32, preventing integer overflow. It also adds sanity checks to ensure these lengths do not exceed the overall segment length immediately after parsing. Users should apply the update from the kernel stable tree [1] as soon as possible.

References
  1. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.