Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46119

Description

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix slab-out-of-bounds access in auth message processing

If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.

This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A slab-out-of-bounds access in Linux kernel's libceph allows an attacker to leak memory by sending a crafted CEPH_MSG_AUTH_REPLY with a positive error code.

Vulnerability

In the Linux kernel's Ceph network protocol implementation (libceph), a slab-out-of-bounds access exists in the authentication message processing path. If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Subsequently, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This affects the Linux kernel versions prior to the fix commit [1].

Exploitation

An attacker with network access to a Ceph client or server can send a specially crafted CEPH_MSG_AUTH_REPLY message with a positive result value that exceeds the allocated front segment size. No authentication is required to trigger the vulnerability, as the flaw occurs during the authentication handshake phase itself. The attacker must be in a position to inject or modify network messages between the Ceph client and monitor.

Impact

Successful exploitation leads to an out-of-bounds read, causing the kernel to transmit sensitive memory content from beyond the allocated front segment buffer over the network. This can result in information disclosure of kernel memory, potentially leaking cryptographic key material, credentials, or other sensitive data. The vulnerability may also lead to a system crash or denial of service if the out-of-bounds access triggers a kernel panic or memory corruption.

Mitigation

The fix is included in the Linux kernel commit [1] (stable tree). The fix changes the error handling to treat only negative values in the result field as errors; positive values are treated as success. Additionally, a BUG_ON is added to __send_prepared_auth_request() to compare the len parameter to front_alloc_len to catch any future logic flaws. Users should update their Linux kernel to a version containing this commit. No workaround is available without patching.

References

Making sure you're not a bot!

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Ubuntu/Linux Kernelllm-fuzzy

Patches

1c439de70b1c

libceph: Fix slab-out-of-bounds access in auth message processing

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRaphael ZimmerApr 21, 2026Fixed in 7.1-rc1via kernel-cna

commit

4 files changed · +6 −4

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 3314705e591466..17660bde896be8 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 3314705e591466..17660bde896be8 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index d5080530ce0ccb..d2cdc8ee31551e 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index d5080530ce0ccb..d2cdc8ee31551e 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

2ae0afd98432

libceph: Fix slab-out-of-bounds access in auth message processing

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRaphael ZimmerApr 21, 2026Fixed in 6.6.140via kernel-cna

commit

4 files changed · +6 −4

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 23d109cb0c6b27..06d0d73309c226 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 23d109cb0c6b27..06d0d73309c226 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 290fd7ab125fa7..9608072863dc49 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 290fd7ab125fa7..9608072863dc49 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

408e85ee708b

libceph: Fix slab-out-of-bounds access in auth message processing

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRaphael ZimmerApr 21, 2026Fixed in 6.12.88via kernel-cna

commit

4 files changed · +6 −4

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 23d109cb0c6b27..06d0d73309c226 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 23d109cb0c6b27..06d0d73309c226 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index ae12f2dbed9e33..e1311fd5b91eab 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index ae12f2dbed9e33..e1311fd5b91eab 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

b7df9fbd4869

libceph: Fix slab-out-of-bounds access in auth message processing

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRaphael ZimmerApr 21, 2026Fixed in 6.18.30via kernel-cna

commit

4 files changed · +6 −4

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 23d109cb0c6b27..06d0d73309c226 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 23d109cb0c6b27..06d0d73309c226 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 94a7a82ca47561..ff4311d5764bda 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 94a7a82ca47561..ff4311d5764bda 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

8517b6c8d2c7

libceph: Fix slab-out-of-bounds access in auth message processing

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRaphael ZimmerApr 21, 2026Fixed in 7.0.7via kernel-cna

commit

4 files changed · +6 −4

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 3314705e591466..17660bde896be8 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 3314705e591466..17660bde896be8 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index d5080530ce0ccb..d2cdc8ee31551e 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index d5080530ce0ccb..d2cdc8ee31551e 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

1c439de70b1c

libceph: Fix slab-out-of-bounds access in auth message processing

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRaphael ZimmerApr 21, 2026via nvd-ref

commit

4 files changed · +6 −4

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 3314705e591466..17660bde896be8 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 3314705e591466..17660bde896be8 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index d5080530ce0ccb..d2cdc8ee31551e 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index d5080530ce0ccb..d2cdc8ee31551e 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

2ae0afd98432

libceph: Fix slab-out-of-bounds access in auth message processing

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRaphael ZimmerApr 21, 2026via nvd-ref

commit

4 files changed · +6 −4

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 23d109cb0c6b27..06d0d73309c226 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 23d109cb0c6b27..06d0d73309c226 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 290fd7ab125fa7..9608072863dc49 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 290fd7ab125fa7..9608072863dc49 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

408e85ee708b

libceph: Fix slab-out-of-bounds access in auth message processing

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRaphael ZimmerApr 21, 2026via nvd-ref

commit

4 files changed · +6 −4

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 23d109cb0c6b27..06d0d73309c226 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 23d109cb0c6b27..06d0d73309c226 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index ae12f2dbed9e33..e1311fd5b91eab 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index ae12f2dbed9e33..e1311fd5b91eab 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

8517b6c8d2c7

libceph: Fix slab-out-of-bounds access in auth message processing

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRaphael ZimmerApr 21, 2026via nvd-ref

commit

4 files changed · +6 −4

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 3314705e591466..17660bde896be8 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 3314705e591466..17660bde896be8 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index d5080530ce0ccb..d2cdc8ee31551e 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index d5080530ce0ccb..d2cdc8ee31551e 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

b7df9fbd4869

libceph: Fix slab-out-of-bounds access in auth message processing

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRaphael ZimmerApr 21, 2026via nvd-ref

commit

4 files changed · +6 −4

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 23d109cb0c6b27..06d0d73309c226 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/auth.c+1 −1 modified

diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 23d109cb0c6b27..06d0d73309c226 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 		ac->negotiating = false;
 	}
 
-	if (result) {
+	if (result < 0) {
 		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
 		       ceph_auth_proto_name(ac->protocol), result);
 		ret = result;

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 94a7a82ca47561..ff4311d5764bda 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

net/ceph/mon_client.c+2 −1 modified

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 94a7a82ca47561..ff4311d5764bda 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_monmap *m, struct ceph_entity_addr *addr)
  */
 static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
 {
+	BUG_ON(len > monc->m_auth->front_alloc_len);
+
 	monc->pending_auth = 1;
 	monc->m_auth->front.iov_len = len;
 	monc->m_auth->hdr.front_len = cpu_to_le32(len);
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Incorrect error handling in ceph_handle_auth_reply() treats any non-zero result value as an error, allowing a positive value to be used as an unchecked front segment length, leading to a slab-out-of-bounds read."

Attack vector

An attacker who can send a crafted (or corrupted) `CEPH_MSG_AUTH_REPLY` message to a Ceph client can set the `result` field to a positive value larger than the preallocated front segment buffer. The function `ceph_handle_auth_reply()` in `net/ceph/auth.c` treats any non-zero result as an error and returns that positive value [patch_id=2898551]. The caller `handle_auth_reply()` then passes this value as the length to `__send_prepared_auth_request()`, which uses it as the front segment size without validation, causing a slab-out-of-bounds read when the kernel sends data beyond the allocated buffer.

Affected code

The vulnerability resides in `net/ceph/auth.c` in the function `ceph_handle_auth_reply()` and in `net/ceph/mon_client.c` in the function `__send_prepared_auth_request()` [patch_id=2898551]. The `ceph_handle_auth_reply()` function incorrectly treats any non-zero value in the `result` field of a `CEPH_MSG_AUTH_REPLY` message as an error, and the return value is later passed as the `len` parameter to `__send_prepared_auth_request()` where it is used as the front segment size without bounds checking.

What the fix does

The patch makes two changes. First, in `net/ceph/auth.c`, the condition `if (result)` is changed to `if (result < 0)`, so only negative values in the result field are treated as errors; positive values are now treated as success (same as zero) [patch_id=2898551]. Second, in `net/ceph/mon_client.c`, a `BUG_ON(len > monc->m_auth->front_alloc_len)` is added to `__send_prepared_auth_request()` to catch any future logic flaws that could pass an oversized length, preventing the out-of-bounds access from being sent on the wire [patch_id=2898551].

Preconditions

networkAttacker must be able to send a crafted CEPH_MSG_AUTH_REPLY message to the target Ceph client (e.g., a malicious or man-in-the-middle monitor).
inputThe crafted message must contain a positive result value greater than the preallocated front segment buffer size.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000