Skip to main content

Linux Kernel EUVDEUVD-2026-32878

| CVE-2026-46119 CRITICAL
Out-of-bounds Read (CWE-125)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-7fj9-r9j7-5xwv
Critical
Disputed · 9.1 Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:52 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
9.1 (CRITICAL)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
CRITICAL 9.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix slab-out-of-bounds access in auth message processing

If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.

This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.

AnalysisAI

Information disclosure and denial of service in the Linux kernel's libceph subsystem allows remote Ceph servers (or attackers able to spoof/MITM unauthenticated Ceph traffic) to trigger a slab-out-of-bounds read by sending a crafted CEPH_MSG_AUTH_REPLY message with a positive result value. The flaw causes the kernel client to send memory contents past the allocated front-segment buffer back over the wire, potentially leaking adjacent kernel heap data and destabilizing the host. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS of 9.1 reflects the network-reachable, no-privileges-required nature of the bug in affected Ceph client deployments.

Technical ContextAI

The libceph kernel module implements the client-side Ceph storage protocol used by CephFS, RBD (RADOS Block Device), and the Ceph object store. During authentication handshake, the kernel issues CEPH_MSG_AUTH and processes CEPH_MSG_AUTH_REPLY responses from a Ceph monitor. The bug lives in ceph_handle_auth_reply()/handle_auth_reply(): the 'result' field is signed but only negative values represent errors; positive values were incorrectly returned upward and then reused as the front-segment length for the next outgoing CEPH_MSG_AUTH. Because that length is never bounded against front_alloc_len, the kernel reads past the slab allocation when constructing the outbound message, classic CWE-125 (out-of-bounds read) on slab memory. The fix narrows error detection to negative values only and adds a BUG_ON comparing len against front_alloc_len in __send_prepared_auth_request() as a defensive backstop.

RemediationAI

Vendor-released patches are available: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc1 (or later) depending on your branch, or pull the equivalent stable commits 8517b6c8d2c7, b7df9fbd4869, 1c439de70b1c, 2ae0afd98432, or 408e85ee708b from git.kernel.org/stable. Distribution users should track their vendor's kernel security advisory for the corresponding backport. As a compensating control until patched, restrict the Ceph client to talk only to trusted monitor IPs via host firewall rules on TCP/3300 (msgr2) and 6789 (msgr1), enable msgr2 secure mode (ms_cluster_mode=secure, ms_service_mode=secure, ms_client_mode=secure) so authentication replies are authenticated and encrypted end-to-end which prevents off-path injection, and avoid mounting CephFS/RBD from untrusted networks; the trade-off of secure mode is modest CPU overhead and a requirement that all peers support msgr2. Unloading the ceph and libceph modules on systems that do not use Ceph eliminates the attack surface entirely.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy