CVE-2026-43407

Source
https://cve.org/CVERecord?id=CVE-2026-43407
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43407.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43407
Downstream
Related
Published
2026-05-08T14:21:46.927Z
Modified
2026-07-03T18:29:35.087867461Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
Details

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential out-of-bounds access in cephhandleauth_reply()

This patch fixes an out-of-bounds access in cephhandleauthreply() that can be triggered by a message of type CEPHMSGAUTHREPLY. In cephhandleauthreply(), the value of the payloadlen field of such a message is stored in a variable of type int. A value greater than INTMAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because cephdecode_need() only checks that the memory access does not exceed the end address of the allocation.

This patch fixes the issue by changing the data type of payloadlen to u32. Additionally, the data type of resultmsg_len is changed to u32, as it is also a variable holding a non-negative length.

Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payloadlen and resultmsg_len are not greater than the overall segment length.

BUG: KASAN: slab-out-of-bounds in cephhandleauth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262

CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr cephconworkfn [libceph] Call Trace: <TASK> dumpstacklvl+0x76/0xa0 printreport+0xd1/0x620 ? pfxrawspinlockirqsave+0x10/0x10 ? kasancompletemodereportinfo+0x72/0x210 kasanreport+0xe7/0x130 ? cephhandleauthreply+0x642/0x7a0 [libceph] ? cephhandleauth_reply+0x642/0x7a0 [libceph] __asanreportloadnnoabort+0xf/0x20 cephhandleauthreply+0x642/0x7a0 [libceph] mondispatch+0x973/0x23d0 [libceph] ? apparmorsocketrecvmsg+0x6b/0xa0 ? __pfxmondispatch+0x10/0x10 [libceph] ? __kasancheckwrite+0x14/0x30i ? mutex_unlock+0x7f/0xd0 ? __pfxmutexunlock+0x10/0x10 ? __pfxdorecvmsg+0x10/0x10 [libceph] cephconprocessmessage+0x1f1/0x650 [libceph] processmessage+0x1e/0x450 [libceph] cephconv2tryread+0x2e48/0x6c80 [libceph] ? __pfxcephconv2tryread+0x10/0x10 [libceph] ? savefpregstofpstate+0xb0/0x230 ? rawspinrqunlock+0x17/0xa0 ? finishtask_switch.isra.0+0x13b/0x760 ? __switch_to+0x385/0xda0 ? __kasancheckwrite+0x14/0x30 ? mutex_lock+0x8d/0xe0 ? __pfxmutexlock+0x10/0x10 cephconworkfn+0x248/0x10c0 [libceph] processonework+0x629/0xf80 ? __kasancheckwrite+0x14/0x30 workerthread+0x87f/0x1570 ? pfxrawspinlockirqsave+0x10/0x10 ? __pfxtrytowakeup+0x10/0x10 ? kasanprintaddressstackframe+0x1f7/0x280 ? __pfxworkerthread+0x10/0x10 kthread+0x396/0x830 ? pfxraw_spinlockirq+0x10/0x10 ? __pfx_kthread+0x10/0x10 ? __kasancheckwrite+0x14/0x30 ? recalc_sigpending+0x180/0x210 ? __pfxkthread+0x10/0x10 retfrom_fork+0x3f7/0x610 ? __pfxretfrom_fork+0x10/0x10 ? __switch_to+0x385/0xda0 ? __pfxkthread+0x10/0x10 retfromforkasm+0x1a/0x30 </TASK>

[ idryomov: replace if statements with cephdecodeneed() for payloadlen and resultmsg_len ]

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43407.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Fixed
ea080b21092590122c3f971cf588932cdbf47847
Fixed
edc678e5cd11730a2834b43071d8923f05bc334d
Fixed
6cee34d6669fe176b4259131adb1a145c939b472
Fixed
8bb87547e92dcf0928ed763c60e0ac8d733c3656
Fixed
ed024d2f4c79c0eb2464df0fb640610ac301f9a0
Fixed
f9da5c1bbac5c8e33259fe00ed7347438fffa969
Fixed
9f9e2297f45fc2d2524eb104c289d69ddef95665
Fixed
b282c43ed156ae15ea76748fc15cd5c39dc9ab72

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43407.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.34
Fixed
5.10.253
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.203
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.167
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.130
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.78
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.19
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.9

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43407.json"