CVE-2026-23201
Use-After-Free in Linux Kernel Ceph Snapshots Causes Oops
Publication date: 2026-02-14
Last updated on: 2026-03-19
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 6.12.42 (inc) to 6.12.70 (exc) |
| linux | linux_kernel | From 6.15.10 (inc) to 6.16 (exc) |
| linux | linux_kernel | From 6.16.1 (inc) to 6.18.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's Ceph filesystem implementation. It is caused by an invalid pointer being passed to the kfree() function in the parse_longname() function when reading Ceph snapshot directories (named .snap).
Specifically, the variable holding the snapshot name string is advanced by one character to skip an initial underscore ('_'), but kfree() is still called on the original pointer, which is now invalid. This leads to a kernel oops (a crash or fault) when listing snapshot directories.
The patch fixes this by removing the pointer advancement so that kfree() is called with the correct memory pointer, preventing the kernel oops.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash or hang when accessing Ceph snapshot directories, for example when running commands like 'ls' on the .snap directory.
Such kernel oopses can lead to system instability, denial of service, or require a system reboot to recover, impacting availability of services relying on Ceph filesystem snapshots.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to list Ceph snapshot directories and observing if the system experiences a kernel oops or if the ls command hangs indefinitely.
- Create snapshots on a CephFS volume.
- Add the CephFS mount to /etc/fstab, for example: echo "[email protected]=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab
- Reboot the system using: systemctl reboot
- Verify the mount with: mount | grep stuff
- List the snapshots directory with: ls /mnt/test/stuff/.snap
If the ls command hangs and the kernel log shows an oops, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
I don't know