libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

CVE	CVE-2026-46024
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-27 14:17:20 UTC
Updated	2026-05-30 11:17:18 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both protocol and result, this is currently not treated as an error. In case of ac->negotiating == true and ac->protocol > 0, this leads to setting ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for ac->protocol != protocol returns false, and init_protocol() is not called. Subsequently, ac->ops->handle_reply() is called, which leads to a null pointer dereference, because ac->ops is still NULL. This patch changes the check for ac->protocol != protocol to !ac->protocol, as this also includes the case when the protocol was set to zero in the message. This causes the message to be treated as containing a bad auth protocol.

Primary CVSS: v3.1 7.5 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.000440000 probability, percentile 0.140470000 (date 2026-05-31)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.5	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
3.1	CNA	DECLARED	7.5	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc 4b2738b93edad661178340239de657d876b73d3d git	Not specified
CNA	Linux	Linux	affected 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc 927e4bd5692f2a4901808822981fb2c8d4456548 git	Not specified
CNA	Linux	Linux	affected 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc 016bc663657366d386993f63eb31072eb45a2b77 git	Not specified
CNA	Linux	Linux	affected 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc 8f2be7285941a33a9f72579a23b96392f83c758e git	Not specified
CNA	Linux	Linux	affected 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc 5199c125d25aeae8615c4fc31652cc0fe624338e git	Not specified
CNA	Linux	Linux	affected 2.6.34	Not specified
CNA	Linux	Linux	unaffected 2.6.34 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.140 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.86 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.27 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.4 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1-rc1 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/8f2be7285941a33a9f72579a23b96392f83c758e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/5199c125d25aeae8615c4fc31652cc0fe624338e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/4b2738b93edad661178340239de657d876b73d3d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/927e4bd5692f2a4901808822981fb2c8d4456548	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/016bc663657366d386993f63eb31072eb45a2b77	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.