HIGH Published 2026-01-23

ceph OSDMap NULL Deref

CVE-2026-22991

CVSS 7.5 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

KernelScan AI7.5HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A NULL pointer dereference vulnerability in the Ceph storage client can cause kernel crashes when processing malformed OSD map data. This could lead to denial of service on systems using Ceph distributed storage, particularly if an attacker can influence the OSD map data received by the client.

Affectednet/ceph/osdmap.c

Vulnerability analysis

Root Cause: The free_choose_arg_map() function lacks proper NULL pointer checks before dereferencing pointers during cleanup. When decode_choose_args() fails after partially allocating memory (setting arg_map->size but failing to allocate arg_map->args), the cleanup path calls free_choose_arg_map() which attempts to iterate over a NULL arg_map->args pointer using the non-zero size value.

Attack Surface: This vulnerability affects the Ceph distributed storage client code in the kernel. It can be triggered when processing malformed or crafted Ceph OSD map data that causes allocation failures during choose_args decoding. The attack surface includes any system using Ceph storage that processes untrusted OSD map data, typically through network communication with Ceph clusters.

Fix Mechanism: The patch adds defensive NULL pointer checks in free_choose_arg_map() before dereferencing arg_map->args and arg->weight_set. It restructures the function to check if arg_map->args is NULL before iterating, and checks if arg->weight_set is NULL before accessing its members. This makes the cleanup function resilient to partial allocation failures.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.248	`9b3730dabcf3`
5.15	5.15.198	`851241d3f78a`
6.1	6.1.161	`ec1850f663da`
6.12	6.12.66	`c4c2152a858c`
6.18	6.18.6	`f21c3fdb9683`
6.6	6.6.121	`8081faaf089d`
mainline	6.19	`e3fe30e57649`