CVE-2026-23201
Unknown Unknown - Not Provided

Use-After-Free in Linux Kernel Ceph Snapshots Causes Oops

Vulnerability report for CVE-2026-23201, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-14

Last updated on: 2026-03-19

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`. The variable str is guarded by __free(kfree), but advanced by one for skipping the initial '_' in snapshot names. Thus, kfree() is called with an invalid pointer. This patch removes the need for advancing the pointer so kfree() is called with correct memory pointer. Steps to reproduce: 1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase) 2. Add cephfs mount to fstab $ echo "[email protected]=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab 3. Reboot the system $ systemctl reboot 4. Check if it's really mounted $ mount | grep stuff 5. List snapshots (expected 63 snapshots on my system) $ ls /mnt/test/stuff/.snap Now ls hangs forever and the kernel log shows the oops.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-14
Last Modified
2026-03-19
Generated
2026-07-06
AI Q&A
2026-02-14
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.12.42 (inc) to 6.12.70 (exc)
linux linux_kernel From 6.15.10 (inc) to 6.16 (exc)
linux linux_kernel From 6.16.1 (inc) to 6.18.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Ceph filesystem implementation. It is caused by an invalid pointer being passed to the kfree() function in the parse_longname() function when reading Ceph snapshot directories (named .snap).

Specifically, the variable holding the snapshot name string is advanced by one character to skip an initial underscore ('_'), but kfree() is still called on the original pointer, which is now invalid. This leads to a kernel oops (a crash or fault) when listing snapshot directories.

The patch fixes this by removing the pointer advancement so that kfree() is called with the correct memory pointer, preventing the kernel oops.

Impact Analysis

This vulnerability can cause the Linux kernel to crash or hang when accessing Ceph snapshot directories, for example when running commands like 'ls' on the .snap directory.

Such kernel oopses can lead to system instability, denial of service, or require a system reboot to recover, impacting availability of services relying on Ceph filesystem snapshots.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to list Ceph snapshot directories and observing if the system experiences a kernel oops or if the ls command hangs indefinitely.

  • Create snapshots on a CephFS volume.
  • Add the CephFS mount to /etc/fstab, for example: echo "[email protected]=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab
  • Reboot the system using: systemctl reboot
  • Verify the mount with: mount | grep stuff
  • List the snapshots directory with: ls /mnt/test/stuff/.snap

If the ls command hangs and the kernel log shows an oops, the vulnerability is present.

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart