Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-46024

Description

In the Linux kernel, the following vulnerability has been resolved:

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both protocol and result, this is currently not treated as an error. In case of ac->negotiating == true and ac->protocol > 0, this leads to setting ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for ac->protocol != protocol returns false, and init_protocol() is not called. Subsequently, ac->ops->handle_reply() is called, which leads to a null pointer dereference, because ac->ops is still NULL.

This patch changes the check for ac->protocol != protocol to !ac->protocol, as this also includes the case when the protocol was set to zero in the message. This causes the message to be treated as containing a bad auth protocol.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A crafted CEPH_MSG_AUTH_REPLY with zero protocol and result can trigger a null-pointer dereference in libceph, causing a kernel crash.

Vulnerability

In the Linux kernel's libceph, the function ceph_handle_auth_reply() does not properly handle a CEPH_MSG_AUTH_REPLY message where both the protocol and result fields are zero. When ac->negotiating is true and ac->protocol is greater than zero, the message sets ac->protocol = 0 and ac->ops = NULL. The subsequent check ac->protocol != protocol fails to detect this change, so init_protocol() is not called, and ac->ops->handle_reply() is invoked on a NULL pointer. This vulnerability affects kernel versions prior to the fix commit [1].

Exploitation

An attacker with the ability to send a crafted CEPH_MSG_AUTH_REPLY message to a target system running a vulnerable kernel can trigger the null-pointer dereference. No authentication or special privileges are required beyond network access to send the message. The attacker must set both the protocol and result fields to zero in the message payload.

Impact

Successful exploitation results in a null-pointer dereference in the kernel, leading to a system crash (denial of service). The vulnerability does not appear to allow privilege escalation or arbitrary code execution based on the available description.

Mitigation

The fix is included in the Linux kernel commit 8f2be7285941a33a9f72579a23b96392f83c758e [1]. Users should apply the patch or update to a kernel version containing this commit. No workaround is mentioned in the available references.

References

Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

927e4bd5692f

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRaphael ZimmerMar 18, 2026Fixed in 6.12.86via kernel-cna

commit

1 file changed · +1 −2

net/ceph/auth.c+1 −2 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 0d75679c6a7ed4..23d109cb0c6b27 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 			ac->protocol = 0;
 			ac->ops = NULL;
 		}
-		if (ac->protocol != protocol) {
+		if (!ac->protocol) {
 			ret = init_protocol(ac, protocol);
 			if (ret) {
 				pr_err("auth protocol '%s' init failed: %d\n",
-- 
cgit 1.3-korg

8f2be7285941

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRaphael ZimmerMar 18, 2026Fixed in 7.0.4via kernel-cna

commit

1 file changed · +1 −2

net/ceph/auth.c+1 −2 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 901b93530b2144..3314705e591466 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 			ac->protocol = 0;
 			ac->ops = NULL;
 		}
-		if (ac->protocol != protocol) {
+		if (!ac->protocol) {
 			ret = init_protocol(ac, protocol);
 			if (ret) {
 				pr_err("auth protocol '%s' init failed: %d\n",
-- 
cgit 1.3-korg

016bc6636573

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRaphael ZimmerMar 18, 2026Fixed in 6.18.27via kernel-cna

commit

1 file changed · +1 −2

net/ceph/auth.c+1 −2 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 0d75679c6a7ed4..23d109cb0c6b27 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 			ac->protocol = 0;
 			ac->ops = NULL;
 		}
-		if (ac->protocol != protocol) {
+		if (!ac->protocol) {
 			ret = init_protocol(ac, protocol);
 			if (ret) {
 				pr_err("auth protocol '%s' init failed: %d\n",
-- 
cgit 1.3-korg

5199c125d25a

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRaphael ZimmerMar 18, 2026Fixed in 7.1-rc1via kernel-cna

commit

1 file changed · +1 −2

net/ceph/auth.c+1 −2 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 901b93530b2144..3314705e591466 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 			ac->protocol = 0;
 			ac->ops = NULL;
 		}
-		if (ac->protocol != protocol) {
+		if (!ac->protocol) {
 			ret = init_protocol(ac, protocol);
 			if (ret) {
 				pr_err("auth protocol '%s' init failed: %d\n",
-- 
cgit 1.3-korg

4b2738b93eda

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRaphael ZimmerMar 18, 2026Fixed in 6.6.140via kernel-cna

commit

1 file changed · +1 −2

net/ceph/auth.c+1 −2 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 0d75679c6a7ed4..23d109cb0c6b27 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 			ac->protocol = 0;
 			ac->ops = NULL;
 		}
-		if (ac->protocol != protocol) {
+		if (!ac->protocol) {
 			ret = init_protocol(ac, protocol);
 			if (ret) {
 				pr_err("auth protocol '%s' init failed: %d\n",
-- 
cgit 1.3-korg

5199c125d25a

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRaphael ZimmerMar 18, 2026via nvd-ref

commit

1 file changed · +1 −2

net/ceph/auth.c+1 −2 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 901b93530b2144..3314705e591466 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 			ac->protocol = 0;
 			ac->ops = NULL;
 		}
-		if (ac->protocol != protocol) {
+		if (!ac->protocol) {
 			ret = init_protocol(ac, protocol);
 			if (ret) {
 				pr_err("auth protocol '%s' init failed: %d\n",
-- 
cgit 1.3-korg

8f2be7285941

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRaphael ZimmerMar 18, 2026via nvd-ref

commit

1 file changed · +1 −2

net/ceph/auth.c+1 −2 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 901b93530b2144..3314705e591466 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 			ac->protocol = 0;
 			ac->ops = NULL;
 		}
-		if (ac->protocol != protocol) {
+		if (!ac->protocol) {
 			ret = init_protocol(ac, protocol);
 			if (ret) {
 				pr_err("auth protocol '%s' init failed: %d\n",
-- 
cgit 1.3-korg

927e4bd5692f

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRaphael ZimmerMar 18, 2026via nvd-ref

commit

1 file changed · +1 −2

net/ceph/auth.c+1 −2 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 0d75679c6a7ed4..23d109cb0c6b27 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 			ac->protocol = 0;
 			ac->ops = NULL;
 		}
-		if (ac->protocol != protocol) {
+		if (!ac->protocol) {
 			ret = init_protocol(ac, protocol);
 			if (ret) {
 				pr_err("auth protocol '%s' init failed: %d\n",
-- 
cgit 1.3-korg

016bc6636573

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRaphael ZimmerMar 18, 2026via nvd-ref

commit

1 file changed · +1 −2

net/ceph/auth.c+1 −2 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 0d75679c6a7ed4..23d109cb0c6b27 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 			ac->protocol = 0;
 			ac->ops = NULL;
 		}
-		if (ac->protocol != protocol) {
+		if (!ac->protocol) {
 			ret = init_protocol(ac, protocol);
 			if (ret) {
 				pr_err("auth protocol '%s' init failed: %d\n",
-- 
cgit 1.3-korg

4b2738b93eda

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRaphael ZimmerMar 18, 2026via nvd-ref

commit

1 file changed · +1 −2

net/ceph/auth.c+1 −2 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 0d75679c6a7ed4..23d109cb0c6b27 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 			ac->protocol = 0;
 			ac->ops = NULL;
 		}
-		if (ac->protocol != protocol) {
+		if (!ac->protocol) {
 			ret = init_protocol(ac, protocol);
 			if (ret) {
 				pr_err("auth protocol '%s' init failed: %d\n",
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Incorrect conditional check in ceph_handle_auth_reply() fails to detect when ac->protocol was zeroed by a crafted message, leading to a null pointer dereference of ac->ops."

Attack vector

An attacker who can send a crafted CEPH_MSG_AUTH_REPLY message with both the protocol and result fields set to zero can trigger a null pointer dereference. When `ac->negotiating` is true and `ac->protocol > 0`, the code sets `ac->protocol = 0` and `ac->ops = NULL`. The original check `ac->protocol != protocol` evaluates to false (both are 0), so `init_protocol()` is skipped. Execution then reaches `ac->ops->handle_reply()`, which dereferences the NULL `ac->ops` pointer, causing a kernel crash [patch_id=2660351].

Affected code

The vulnerable function is `ceph_handle_auth_reply()` in `net/ceph/auth.c` [patch_id=2660351]. The flaw is in the conditional check `if (ac->protocol != protocol)` at line 248 of the original code, which fails to catch the case where `ac->protocol` was just set to 0 and `ac->ops` was set to NULL in the preceding block.

What the fix does

The patch changes the condition from `ac->protocol != protocol` to `!ac->protocol` [patch_id=2660351]. This ensures that whenever `ac->protocol` is zero (including after being zeroed by the preceding block), the code calls `init_protocol()` to re-establish a valid protocol handler. If `init_protocol()` fails, the message is treated as having a bad auth protocol and an error is returned, preventing the subsequent NULL pointer dereference of `ac->ops`.

Preconditions

networkThe attacker must be able to send a crafted CEPH_MSG_AUTH_REPLY message to the target system.
configThe target's auth client must be in the negotiating state (ac->negotiating == true) with a previously established protocol (ac->protocol > 0).

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000