CVE-2026-23201
Unknown Unknown - Not Provided
Use-After-Free in Linux Kernel Ceph Snapshots Causes Oops

Publication date: 2026-02-14

Last updated on: 2026-03-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`. The variable str is guarded by __free(kfree), but advanced by one for skipping the initial '_' in snapshot names. Thus, kfree() is called with an invalid pointer. This patch removes the need for advancing the pointer so kfree() is called with correct memory pointer. Steps to reproduce: 1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase) 2. Add cephfs mount to fstab $ echo "[email protected]=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab 3. Reboot the system $ systemctl reboot 4. Check if it's really mounted $ mount | grep stuff 5. List snapshots (expected 63 snapshots on my system) $ ls /mnt/test/stuff/.snap Now ls hangs forever and the kernel log shows the oops.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23201
EUVD
EUVD-2026-5844
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.12.42 (inc) to 6.12.70 (exc)
linux linux_kernel From 6.15.10 (inc) to 6.16 (exc)
linux linux_kernel From 6.16.1 (inc) to 6.18.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Ceph filesystem implementation. It is caused by an invalid pointer being passed to the kfree() function in the parse_longname() function when reading Ceph snapshot directories (named .snap).

Specifically, the variable holding the snapshot name string is advanced by one character to skip an initial underscore ('_'), but kfree() is still called on the original pointer, which is now invalid. This leads to a kernel oops (a crash or fault) when listing snapshot directories.

The patch fixes this by removing the pointer advancement so that kfree() is called with the correct memory pointer, preventing the kernel oops.

Impact Analysis

This vulnerability can cause the Linux kernel to crash or hang when accessing Ceph snapshot directories, for example when running commands like 'ls' on the .snap directory.

Such kernel oopses can lead to system instability, denial of service, or require a system reboot to recover, impacting availability of services relying on Ceph filesystem snapshots.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to list Ceph snapshot directories and observing if the system experiences a kernel oops or if the ls command hangs indefinitely.

  • Create snapshots on a CephFS volume.
  • Add the CephFS mount to /etc/fstab, for example: echo "[email protected]=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab
  • Reboot the system using: systemctl reboot
  • Verify the mount with: mount | grep stuff
  • List the snapshots directory with: ls /mnt/test/stuff/.snap

If the ls command hangs and the kernel log shows an oops, the vulnerability is present.

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart