CVE-2026-23201

Summary

In the Linux kernel, the following vulnerability has been resolved:

ceph: fix oops due to invalid pointer for kfree() in parse_longname()

This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running ls /mnt/my_ceph/.snap.

The variable str is guarded by __free(kfree), but advanced by one for skipping the initial '_' in snapshot names. Thus, kfree() is called with an invalid pointer. This patch removes the need for advancing the pointer so kfree() is called with correct memory pointer.

Steps to reproduce:

  1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase)

  2. Add cephfs mount to fstab $ echo "samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab

  3. Reboot the system $ systemctl reboot

  4. Check if it's really mounted $ mount | grep stuff

  5. List snapshots (expected 63 snapshots on my system) $ ls /mnt/test/stuff/.snap

Now ls hangs forever and the kernel log shows the oops.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxbb80f7618832d26f7e395f52f82b1dac76223e5f < 8c9af7339de419819cfc641d551675d38ff99abfaffected
LinuxLinux101841c38346f4ca41dc1802c867da990ffb32eb < e258ed369c9e04caa7d2fd49785d753ae4034cb6affected
LinuxLinux101841c38346f4ca41dc1802c867da990ffb32eb < bc8dedae022ce3058659c3addef3ec4b41d15e00affected
LinuxLinux3145b2b11492d61c512bbc59660bb823bc757f48affected
LinuxLinux493479af8af3ab907f49e99323777d498a4fbd2baffected
LinuxLinux6.12.42 < 6.12.70affected
LinuxLinux6.15.10 < 6.16affected
LinuxLinux6.16.1 < 6.17affected
LinuxLinux6.17affected
LinuxLinux0 < 6.17unaffected
LinuxLinux6.12.70 <= 6.12.*unaffected
LinuxLinux6.18.10 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References