CVE-2026-22991
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22991
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.11 (inc) to 5.15.198 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.13 (inc) to 6.18.6 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.121 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.66 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.161 (exc)
linux linux_kernel From 4.13 (inc) to 5.10.248 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the free_choose_arg_map() function has been fixed to include pointer checks before dereferencing. Applying the latest kernel patches that address this issue will prevent potential NULL pointer dereferences.

Executive Summary

This vulnerability occurs in the Linux kernel's libceph component where the function free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial memory allocation. Specifically, if allocation of arg_map->args fails in decode_choose_args(), free_choose_arg_map() is called with arg_map->size already set to a non-zero value, causing it to iterate over a NULL pointer, leading to a potential NULL pointer dereference. The fix involves adding pointer checks before iteration to prevent this issue.

Impact Analysis

This vulnerability can cause the Linux kernel to dereference a NULL pointer, which may lead to kernel crashes or system instability. Such crashes could result in denial of service or unexpected behavior in systems using the affected libceph component.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart