HIGH
ceph Authentication Race NULL Deref
CVE-2026-22992
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to be successfully authenticated) something went wrong in the authentication phase and reacting accordingly, but msgr2 still trying to proceed with establishing the session in the background. In the case of secure mode this can trigger a WARN in setup_crypto() and later lead to a NULL pointer dereference inside of prepare_auth_signature().
02KernelScan AI Analysis
Risk summary
A race condition in Ceph's authentication handling can cause the system to proceed with session establishment despite authentication failures, leading to NULL pointer dereferences and potential system crashes. This primarily affects systems using Ceph distributed storage with msgr2.1 secure mode enabled.
Vulnerability analysis
Root Cause: The mon_handle_auth_done() function was not properly propagating error codes from ceph_auth_handle_reply_done() back to the caller. While authentication errors were being handled internally via finish_auth(), the function always returned 0 (success) regardless of the actual authentication result. This created a race condition where higher layers would learn about authentication failures through one path, but the msgr2 protocol handler would continue session establishment in the background, believing authentication succeeded.
Attack Surface: This vulnerability affects Ceph distributed storage systems using the msgr2.1 protocol in secure mode. It requires network connectivity to a Ceph cluster and the ability to trigger authentication failures. The bug is triggered during the authentication handshake phase of establishing connections to Ceph monitors.
Fix Mechanism: The patch changes the return statement from 'return 0;' to 'return ret;' in mon_handle_auth_done(), ensuring that authentication errors are properly propagated to the caller. This prevents the msgr2 protocol from proceeding with session establishment when authentication has actually failed, eliminating the race condition that could lead to NULL pointer dereferences in prepare_auth_signature().
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.198 | 77229551f2cf |
| 6.1 | 6.1.161 | 33908769248b |
| 6.12 | 6.12.66 | d2c4a5f69966 |
| 6.18 | 6.18.6 | 9e0101e57534 |
| 6.6 | 6.6.121 | e097cd858196 |
| mainline | 6.19 | e84b48d31b50 |