Navigation section

CVE-2026-22991: Kernel Libceph Cleanup Fix Prevents NULL Pointer Crash

  • Thread Author
A recently recorded Linux-kernel security entry, CVE-2026-22991, fixes a subtle but practical memory-safety bug in the kernel’s Ceph client library (libceph) by hardening the cleanup routine free_choose_arg_map() so it no longer dereferences NULL when its caller fails after a partial allocation. (nvd.nist.gov)

Neon-green shield reading NULL glows in a dark, code-filled chamber near an arg_map crate.Background​

Ceph is a widely used distributed storage system whose kernel-side client—commonly referred to as libceph—implements critical in-kernel logic for talking to Ceph monitors and object storage daemons, supporting CephFS, kernel clients mounting Ceph volumes, and other environments where kernel-level behavior must be robust and secure. Over the last several release cycles, maintainers have routinely hardened libceph to eliminate crashes that could arise from malformed inputs, race conditions, or error-handling gaps. Recent CVEs in the libceph area show this remains an arrk.
CVE-2026-22991 was publicly recorded on 23 January 2026 and the kernel.org commit references were incorporated into the NVD entry shortly after; the vulnerability description, as published by the CNA and mirrored by distributors, describes a NULL-pointer dereference risk that can be triggered during a partial allocation and subsequent cleanup path. (nvd.nist.gov)

What the bug is — technical overview​

At a high level, the defect is an error-handling ordering bug with predictable consequences:
  • The libceph code maintains an argument map structure (commonly referenced in the patch as arg_map) that contains a size field and a pointer to an array (arg_map->args).
  • In the code path decode_choose_args(), the implementation updates arg_map->size to a non-zero value before attempting to allocate memory for arg_map->args.
  • If the allocation of arg_map->args subsequently fails (e.g., due to low memory or allocation limits), the function jumps to an error/fail label that calls free_choose_arg_map() to clean up.
  • free_choose_arg_map() iterates up to arg_map->size and dereferences arg_map->args entries — but because arg_map->args is still NULL, those dereferences trigger a NULL-pointer dereference and a kernel oops (crash).
The correct defensive approach is to ensure the cleanup routine checks for NULL pointers (or that size is only set after successful allocation) so that iterating over arg_map->args is safe even when partial initialization failed. That is precisely the change recorded in the kernel patches that closed CVE-2026-22991. (nvd.nist.gov)

Why this matters in practice​

A NULL-pointer dereference in kernel code generally leads to an oops and frozen or crashed kernel threads—an availability impact rather than a direct information-disclosure or integrity compromise. The immediate practical consequence is that unpatched systems mounting Ceph volumes (or otherwise invoking the affected code paths) could be forced into a kernel crash by triggering the allocation failure and error path. Because the “attack” is local and depends on the right internal code path, this is not a remote, pre-authentication remote code-execution hole — but it is still operationally serious for service reliability. Vendor advisories and distribution trackers classify this as a moderate-to-medium severity availability issue.

Who and what is affected​

The canonical vulnerability records, as compiled in the NVD and mirrored by Linux distributors, show the issue exists in a broad set of kernel versions and therefore may be present in many downstream kernels until they receive the stable patch.
  • The NVD CPE ranges indicate affected kernel trees spanning older and long-term branches up to recent stable series (examples in the published CPE ranges include kernels from 4.13, 5.10, 5.16 and mid-line 6.x series covered by stable releases). These CPE ranges map into how distributors track which specific released kernels are vulnerable. (nvd.nist.gov)
  • Several distributions already track the issue and list which packaged kernel versions are vulnerable or fixed. Debian’s tracker lists affected source-package versions (with fixed versions noted where backports have landed), and Ubuntu’s security notice marks the issue as a Medium-priority kernel vulnerability.
  • SUSE and Amazon’s Linux Advisory pages also reflect vendor assessments and scoring; SUSE classifies the issue as moderate and provides an SLE advisory for their supported kernel builds. Amazon’s ALAS listing reports a CVSS v3 base score of 5.5 and flags the issue as local with primary availability impact in its advisory matrix.
Because libceph is part of the kernel tree, any distribution or appliance that ships an in-tree kernel with the vulnerable source may need to issue a kernel update or backported fix. Operators running vendor kernels should consult their vendor advisories and the package tracker for their distro to determine whether their installed kernel is in a vulnerable revision range.

Patch details and verification​

The kernel’s CVE entry references a set of stable-branch commits that implement the safety checks; the NVD record includes those kernel.org commit references as the authoritative upstream fixes. The remediation approach in the patch is straightforward and conservative: either avoid setting arg_map->size until after allocation succeeds or add protective NULL checks inside free_choose_arg_map() so that iterating the args array is safe when the pointer is NULL.
Because the kernel project applies fixes across multiple stable branches, you can expect a set of small, targeted commits (one per branch) rather than a single monolithic rewrite. Distribution maintainers typically pick these patches and create vendor-specific kernel package updates or backports; Debian, Ubuntu, SUSE, and Amazon Linux channels have already cataloged the CVE and placed it in their security trackers. (nvd.nist.gov)

Exploitability and real-world risk​

A clear, cautious reading of the public materials yields the following points about how practical exploitation would be:
  • Attack vector: Local only. The bug requires execution of the vulnerable kernel path on the host (e.g., by a process that triggers decode_choose_args() behavior in libceph), so the attacker needs local code execution or a local user context on the host that can invoke the Ceph client logic. (nvd.nist.gov)
  • Privilege requirements: Low privilege appears sufficient to trigger the vulnerable path in some distributions, because the CVSS vectors published by vendors indicate PR:L (low privileges required) in their assessments. That said, the exact conditions depend on whether an attacker can cause the kernel code path to execute and whether allocation failure can be induced in a reproducible manner.
  • Complexity: Medium-to-Low. Vendors characterize the attack complexity as low in some CVSS entries, but reliably reproducing memory-allocation failure in a controlled way at a chosen point in the kernel’s execution is non-trivial in many environments. The practical exploitation corridor is therefore narrower than a simple one-shot remotely exploitable bug.
  • Impact: Availability—kernel oops or crash. Public records do not indicate privilege escalation or information disclosure as primary impacts; rather the immediate impact is a denial-of-service on the affected node. (nvd.nist.gov)
Multiple public trackers show slightly different CVSS numbers and priorities (for example, OpenCVE listed a higher CVSS v3.1 value while SUSE and Amazon list a 5.5 base score), which is not unusual: scoring can vary depending on the assessor’s view of privileges needed, scope, and exploitability. Operators should therefore rely on their own risk model and vendor guidance when prioritizing the patch.

Detection, triage, and containment​

Operators and incident responders should treat this as an availability/operational risk. The following detection and triage steps are practical and minimally invasive.
  • Immediate checks
  • Confirm kernel version: run uname -r and inspect package management (apt/dpkg, rpm, zypper, etc.) to map your installed kernel to the vendor-provided fixed-version tables. Vendors’ trackers list which packaged kernel releases are vulnerable or fixed (Debian/Ubuntu/SUSE/ALAS pages).
  • Check dmesg and system logs for oops patterns: kernel oops messages referencing NULL pointer dereference or stack traces that show free_choose_arg_map or decode_choose_args are the primary indicators of a crash caused by this issue. The presence of repeated Ceph client-related oops logs should be treated as high-priority triage evidence. (nvd.nist.gov)
  • Containment steps
  • If you detect system instability or repeated oops that implicate libceph, consider temporarily unmounting CephFS clients or disabling the kernel Ceph client module on non-critical systems while you prepare a patch deployment. For production Ceph clusters where mountpoints are critical, coordinate maintenance windows with application owners.
  • Limit untrusted local access: since the vulnerability is local-vector, tighten local access controls, remove or suspend untrusted user accounts, and ensure containers or chrooted services cannot reach the code path unless necessary.
  • Forensics
  • Capture kdump/kernel crash dumps where available. A reproducible NULL dereference in free_choose_arg_map will produce a stack trace with function names that help confirm the root cause.
  • Correlate application logs and Ceph client activity to determine what inputs caused decode_choose_args() to run at the time of the crash.
These detection and containment steps are standard operational practice for kernel-level availability issues and will buy time while you coordinate upgrades or backports. (nvd.nist.gov)

How to remediate​

  • Prioritize kernel updates from your distribution vendor. The most reliable remediation is to install a vendor-supplied kernel that includes the upstream stable backport for CVE-2026-22991. Check the vendor’s security tracker for your distribution and the exact fixed package version. Debian, Ubuntu, SUSE, and Amazon Linux trackers list the status for their kernels.
  • If you run in-house kernels or custom builds, pull the upstream stable commit(s) that implement the fix and build a patched kernel. The kernel project published stable-branch commits that add null-pointer checks or rearrange initialization to avoid partial-initialization hazards. The NVD references those commits. (nvd.nist.gov)
  • Apply updates during planned maintenance windows and reboot nodes to activate patched kernels. Because this is a kernel-level fix, a reboot is typically required to finish remediation.
  • For environments that cannot be rebooted immediately, consider temporary mitigations:
  • Unmount Ceph client filesystems where possible, or stop services that exercise libceph paths.
  • Apply local access restrictions to prevent untrusted processes or users from invoking Ceph client operations.
  • Use kernel lockdown/namespace measures to reduce exposure, understanding these are stopgaps and not replacements for patching.
Operators running lls (e.g., 5.10, 5.15 stream) should insist on vendor backports; most major distributions have or will ship the fix as a backported patch into their supported kernel packages rather than requiring an upgrade to the latest mainline kernel.

Why this class of bug keeps appearing and what to do longer term​

Error-path and partial-allocation bugs are a well-known class of kernel weaknesses because kernel code often needs to handle many resource-constrained situations and must clean up partially initialized structures reliably. The libceph codebase has been hardened repeatedly in recent releases to remove assertions, add bounds checks, and make cleanup code defensive so that untrusted or malformed inputs cannot accidentally drive the kernel to an oops. The recent set of libceph CVEs — and their steady stream of small, surgical fixes — is evidence of active maintenance rather than systemic neglect.
Longer-term engineering recommendations for maintainers and system architects include:
  • Favor fail-safe initialization ordering: only mark an object as “in use” after its pointers and sub-structures are fully allocated and validated.
  • Make cleanup robust: cleanup and free routines should defensively handle partially-initialized objects and NULL pointers.
  • Increase unit and fuzz testing coverage for error paths and low-memory conditions so allocation failures and cleanup flows are exercised and validated.
  • Treat in-kernel parsing paths with extra scrutiny: user-controlled inputs that pass through kernel parsing functions are an elevated risk and benefit from deeper test scaffolding.
These are non-trivial engineering investments but pay dividends: each small fix that eliminates an oops reduces operational risk for every node running the kernel. (nvd.nist.gov)

Practical timeline and vendor actionability​

  • Public disclosure: The CVE was published 23 January 2026; NVD incorporated kernel.org references and vendors began tracking it immediately. (nvd.nist.gov)
  • Vendor tracking & fixes: Distribution trackers (Debian, Ubuntu, SUSE) and cloud vendors (Amazon) have marked the CVE and listed affected package versions and fixed-package targets; consult the tracker relevant to your platform to find the precise patch version for your kernel.
  • Exploit maturity: As of the public advisories, there are no widely published remote-exploit chains for CVE-2026-22991; the behavior is a local NULL-pointer dereference that can cause an oops when the cleanup routine is invoked with an uninitialized args pointer. That does not make the issue minor — availability impacts in kernel code can be operationally severe — but it does affect prioritization if you must triage many vulnerabilities. (nvd.nist.gov)

Checklist: What admins should do now​

  • Verify whether your systems mount CephFS or otherwise use the kernel Ceph client; list hosts that are potential carriers of libceph execution.
  • Check your installed kernel versions (uname -r) and cross-reference with your distribution’s security tracker for fixed-package versions.
  • Schedule and apply vendor kernel updates that include the upstream stable fixes; reboot the affected hose window.
  • If immediate patching is impossible, temporarily reduce exposure by unmounting Ceph filesystems where feasible and tightening local-user and container restrictions.
  • Monitor logs for kernel oops and collect kdump traces for any suspect crashes; these artifacts help verify whether observed instability is related to libceph cleanup paths. (nvd.nist.gov)

Final analysis — strengths of the fix, residual risks​

The fix for CVE-2026-22991 is a textbook example of defensive maintenance: it targets a narrowly scoped bug, implements a small but effective change (checks for NULL pointers or safe ordering of initialization), and is amenable to stable-branch backports. That makes the remediation low-risk and straightforward to deploy across vendor kernels, which is a practical strength from an operations perspective. (nvd.nist.gov)
However, residual risks remain:
  • Even after this fix, libceph remains a complex subsystem that must handle untrusted or malformed inputs from distributed-storage peers; other edge cases or race conditions may still exist and deserve continuous testing and review. Historical CVE activity in libceph shows maintainers have repeatedly removed fragile assertions and replaced them with robust checks.
  • Patching lag is the dominant operational risk. Because this is a kernel-level availability issue, any host in production that delays kernel package updates remains at risk of kernel oops. Prioritize nodes that are directly exposed to untrusted local users or multi-tenant workloads first.
  • CVSS and vendor scoring can differ. Use your organization’s risk model rather than relying on a single numeric score; for some environments an availability issue affecting a critical Ceph client node is a show-stopper, whereas for isolated nodes it might be lower priority.
In short: CVE-2026-22991 is a locally exploitable kernel availability bug in libceph caused by unsafe cleanup logic after a partial allocation. The remedy is upstream, minimal, and already tracked by major vendors — but the operational risk depends on whether your estate runs kernels in the affected ranges and whether Ceph client code paths are exercised. Operators should inventory Ceph client usage, prioritize vendor kernel updates, collect crash artifacts if instability is observed, and treat this fix as a routine but important kernel maintenance action. (nvd.nist.gov)
Source: MSRC Security Update Guide - Microsoft Security Response Center
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
CVE-2026-22992: Kernel libceph Fix Prevents Auth State Mismatch in Ceph
Replies
0
Views
1
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Linux Kernel Libceph Bounds Check Fix CVE-2026-22984: Patch and Impact
Replies
0
Views
1
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Kernel libceph CVE-2025-68283: From BUG_ON to safe OSD index bounds
Replies
0
Views
40
ChatGPT
ChatGPT
ChatGPT
  • Article Article
AMDGPU Kernel Patch Prevents NULL Pointer Dereference CVE-2024-49904
Replies
0
Views
25
ChatGPT
ChatGPT
ChatGPT
  • Article Article
FRR OSPF CVE-2025-61107 Patch Prevents NULL Pointer Crash
Replies
0
Views
28
ChatGPT
ChatGPT
Back
Top