Skip to main content

Linux Kernel CVE-2026-46024

| EUVDEUVD-2026-32405 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fmw3-m5fg-w74x
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:37 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.5 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both protocol and result, this is currently not treated as an error. In case of ac->negotiating == true and ac->protocol > 0, this leads to setting ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for ac->protocol != protocol returns false, and init_protocol() is not called. Subsequently, ac->ops->handle_reply() is called, which leads to a null pointer dereference, because ac->ops is still NULL.

This patch changes the check for ac->protocol != protocol to !ac->protocol, as this also includes the case when the protocol was set to zero in the message. This causes the message to be treated as containing a bad auth protocol.

AnalysisAI

Denial of service in the Linux kernel's libceph subsystem allows remote attackers to crash the kernel via a malformed CEPH_MSG_AUTH_REPLY message containing zero values for both protocol and result fields. The flaw resides in ceph_handle_auth_reply() where a missing validation causes ac->ops to be set to NULL before being dereferenced. No public exploit identified at time of analysis, and EPSS is extremely low (0.02%), but the network attack vector with no authentication and high availability impact warrants prompt patching on Ceph-enabled systems.

Technical ContextAI

The vulnerability is in libceph, the Linux kernel client library that implements the Ceph distributed storage protocol used by CephFS, RBD (RADOS Block Device), and the Ceph object store. The root cause is a NULL pointer dereference (CWE-476 class) in the authentication handshake handler ceph_handle_auth_reply(): when a CEPH_MSG_AUTH_REPLY message arrives with protocol=0 and result=0 during negotiation (ac->negotiating == true with a previously non-zero ac->protocol), the code sets ac->protocol = 0 and ac->ops = NULL, but the subsequent equality check (ac->protocol != protocol) evaluates false, causing init_protocol() to be skipped. The kernel then calls ac->ops->handle_reply(), dereferencing the NULL ops pointer and triggering a kernel oops. The fix changes the check to !ac->protocol so a zero-valued protocol is correctly treated as a bad auth protocol.

RemediationAI

Upstream fix available with vendor-released patches in stable kernels 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1 - upgrade to the patched version on your kernel's stable branch (commits 016bc663657366d386993f63eb31072eb45a2b77, 4b2738b93edad661178340239de657d876b73d3d, 5199c125d25aeae8615c4fc31652cc0fe624338e, 8f2be7285941a33a9f72579a23b96392f83c758e, 927e4bd5692f2a4901808822981fb2c8d4456548 on git.kernel.org/stable). Track your distribution's security update channel (e.g., RHEL/Debian/Ubuntu/SUSE kernel advisories) for the backported build. If patching cannot be done immediately, compensating controls include: unloading the libceph/ceph/rbd modules on hosts that do not require Ceph (trade-off: breaks any Ceph mounts or RBD devices); restricting Ceph monitor/OSD traffic (TCP 3300/6789 and 6800-7300) to trusted storage networks via host or network firewall so only authenticated, controlled peers can deliver auth-reply messages to clients (trade-off: requires accurate inventory of Ceph endpoints); and enabling Ceph msgr2 with cephx authentication and on-wire encryption to reduce MitM exposure (trade-off: does not prevent a malicious or compromised monitor from sending the malformed reply).

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46024 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy