Skip to main content

Linux Kernel libceph CVE-2026-43304

| EUVDEUVD-2026-28574 CRITICAL
2026-05-08 Linux GHSA-h4fr-xr6m-wwp8
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:22 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
May 08, 2026 - 14:33 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
CRITICAL 9.8
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

libceph: define and enforce CEPH_MAX_KEY_LEN

When decoding the key, verify that the key material would fit into a fixed-size buffer in process_auth_done() and generally has a sane length.

The new CEPH_MAX_KEY_LEN check replaces the existing check for a key with no key material which is a) not universal since CEPH_CRYPTO_NONE has to be excluded and b) doesn't provide much value since a smaller than needed key is just as invalid as no key -- this has to be handled elsewhere anyway.

AnalysisAI

Improper key length validation in the Linux kernel's libceph authentication subsystem allows remote unauthenticated attackers to trigger memory corruption during Ceph authentication key decoding. This affects systems using Ceph distributed storage clusters, with EPSS probability 0.02% (percentile 7%), indicating low immediate exploitation likelihood. Patches available across all supported kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) with commits linked in multiple stable trees, suggesting coordinated vendor response. No public exploit code or CISA KEV listing identified at time of analysis.

Technical ContextAI

The vulnerability exists in libceph, the Linux kernel's client library for the Ceph distributed storage protocol. During authentication handshake with Ceph monitors, the process_auth_done() function decodes received cryptographic key material into a fixed-size buffer without adequate length validation. The flaw stems from insufficient boundary checks when copying variable-length key data from network packets. The original code only validated non-zero key material for certain crypto types (excluding CEPH_CRYPTO_NONE) but failed to enforce an upper bound. The fix introduces CEPH_MAX_KEY_LEN to constrain key sizes before buffer operations. This affects any Linux system mounting Ceph filesystems (CephFS), using Ceph block devices (RBD), or implementing Ceph object storage clients. The issue has existed since the libceph subsystem's introduction in commit 1da177e4c3f4 (initial Git import, circa 2.6.12-rc2, 2005), representing a 20-year-old code path.

RemediationAI

Apply vendor-released kernel updates immediately for systems using Ceph storage. Patched versions available: upgrade to Linux 5.15.202+ (LTS), 6.1.165+ (LTS), 6.6.128+ (LTS), 6.12.75+, 6.18.16+, 6.19.6+, or 7.0+ mainline. Commits implementing CEPH_MAX_KEY_LEN enforcement are available in all stable trees per https://git.kernel.org/stable/c/[commit-id] references in NVD advisory. For systems unable to patch immediately, implement network-layer compensating controls: isolate Ceph storage networks using VLANs or separate physical infrastructure to prevent MITM attacks on monitor communication (note: this does not eliminate risk from compromised monitors but reduces attack surface). Alternatively, disable and blacklist the ceph kernel module (modprobe -r ceph; echo 'blacklist ceph' >> /etc/modprobe.d/disable-ceph.conf) if Ceph functionality is unused - verify dependent services before applying. No userspace workarounds exist as vulnerability is kernel-internal. Reboots required after kernel updates to activate patched code.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43304 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy