CVE-2026-46024
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk38th percentile - higher than 38% of all known CVEs
Summary
A vulnerability has been identified in the Linux kernel within libceph that may lead to a null pointer dereference in the ceph_handle_auth_reply() function. The issue occurs when a CEPH_MSG_AUTH_REPLY message contains zero values for both protocol and result, which is not currently treated as an error.
Risk Assessment
This vulnerability may lead to system crashes or unexpected behavior of applications using libceph, potentially impacting the stability and security of the entire system.
Recommendation
It is recommended to update the Linux kernel to the latest version where a patch has been introduced to eliminate this vulnerability.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both protocol and result, this is currently not treated as an error. In case of ac->negotiating == true and ac->protocol > 0, this leads to setting ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for ac->protocol != protocol returns false, and init_protocol() is not called. Subsequently, ac->ops->handle_reply() is called, which leads to a null pointer dereference, because ac->ops is still NULL. This patch changes the check for ac->protocol != protocol to !ac->protocol, as this also includes the case when the protocol was set to zero in the message. This causes the message to be treated as containing a bad auth protocol.

