CVE-2026-22991

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-22991
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22991.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-22991
Downstream
Related
Published
2026-01-23T15:24:12.191Z
Modified
2026-05-15T11:53:59.811404499Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
libceph: make free_choose_arg_map() resilient to partial allocation
Details

In the Linux kernel, the following vulnerability has been resolved:

libceph: make freechoosearg_map() resilient to partial allocation

freechoosearg_map() may dereference a NULL pointer if its caller fails after a partial allocation.

For example, in decodechooseargs(), if allocation of argmap->args fails, execution jumps to the fail label and freechooseargmap() is called. Since argmap->size is updated to a non-zero value before memory allocation, freechooseargmap() will iterate over arg_map->args and dereference a NULL pointer.

To prevent this potential NULL pointer dereference and make freechoosearg_map() more resilient, add checks for pointers before iterating.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22991.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.13.0
Fixed
5.10.248
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.198
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.161
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.121
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.66
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.6

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22991.json"