CVE-2026-23201
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix oops due to invalid pointer for kfree() in parse_longname()
This fixes a kernel oops when reading ceph snapshot directories (.snap),
for example by simply running ls /mnt/my_ceph/.snap.
The variable str is guarded by __free(kfree), but advanced by one for skipping the initial '_' in snapshot names. Thus, kfree() is called with an invalid pointer. This patch removes the need for advancing the pointer so kfree() is called with correct memory pointer.
Steps to reproduce:
Create snapshots on a cephfs volume (I've 63 snaps in my testcase)
Add cephfs mount to fstab $ echo "samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab
Reboot the system $ systemctl reboot
Check if it's really mounted $ mount | grep stuff
List snapshots (expected 63 snapshots on my system) $ ls /mnt/test/stuff/.snap
Now ls hangs forever and the kernel log shows the oops.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | bb80f7618832d26f7e395f52f82b1dac76223e5f < 8c9af7339de419819cfc641d551675d38ff99abf | affected |
| Linux | Linux | 101841c38346f4ca41dc1802c867da990ffb32eb < e258ed369c9e04caa7d2fd49785d753ae4034cb6 | affected |
| Linux | Linux | 101841c38346f4ca41dc1802c867da990ffb32eb < bc8dedae022ce3058659c3addef3ec4b41d15e00 | affected |
| Linux | Linux | 3145b2b11492d61c512bbc59660bb823bc757f48 | affected |
| Linux | Linux | 493479af8af3ab907f49e99323777d498a4fbd2b | affected |
| Linux | Linux | 6.12.42 < 6.12.70 | affected |
| Linux | Linux | 6.15.10 < 6.16 | affected |
| Linux | Linux | 6.16.1 < 6.17 | affected |
| Linux | Linux | 6.17 | affected |
| Linux | Linux | 0 < 6.17 | unaffected |
| Linux | Linux | 6.12.70 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.10 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/8c9af7339de419819cfc641d551675d38ff99abf
- https://git.kernel.org/stable/c/e258ed369c9e04caa7d2fd49785d753ae4034cb6
- https://git.kernel.org/stable/c/bc8dedae022ce3058659c3addef3ec4b41d15e00
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.