CVE-2026-46119
Received Received - Intake
libceph slab-out-of-bounds in auth message processing

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46119
EUVD
EUVD-2026-32878
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's libceph component during the processing of authentication messages.

When a message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, the code mistakenly treats it as an error code and uses this value as the size of a memory segment to send.

If this positive result value is larger than the allocated memory buffer for that segment, it causes a slab-out-of-bounds access, meaning memory beyond the allocated buffer is accessed and sent out.

The fix involves treating only negative values as errors and adding checks to prevent sending messages that exceed allocated memory bounds.


How can this vulnerability impact me? :

This vulnerability can lead to out-of-bounds memory access and potentially leak sensitive memory contents beyond the intended buffer.

An attacker could exploit this flaw by sending a specially crafted authentication reply message that triggers the out-of-bounds read and causes unintended data disclosure.

Such memory disclosure could expose sensitive information, potentially compromising system security or confidentiality.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart