CRITICAL
ceph AuthKey Overflow
CVE-2026-43304
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI9.8CRITICAL
01Description
In the Linux kernel, the following vulnerability has been resolved: libceph: define and enforce CEPH_MAX_KEY_LEN When decoding the key, verify that the key material would fit into a fixed-size buffer in process_auth_done() and generally has a sane length. The new CEPH_MAX_KEY_LEN check replaces the existing check for a key with no key material which is a) not universal since CEPH_CRYPTO_NONE has to be excluded and b) doesn't provide much value since a smaller than needed key is just as invalid as no key -- this has to be handled elsewhere anyway.
02KernelScan AI Analysis
Risk summary
Remote attackers can trigger a stack buffer overflow in the Ceph authentication protocol by sending oversized key material. This could lead to kernel memory corruption, information disclosure, or code execution on systems running Ceph clients or servers.
Vulnerability analysis
The vulnerability occurs in ceph_crypto_key_decode() where key length is read from network data without bounds checking, then later copied into a fixed 16-byte stack buffer in process_auth_done(). An attacker can send authentication responses with key lengths exceeding 16 bytes to overflow the stack buffer. The fix adds CEPH_MAX_KEY_LEN validation to reject oversized keys before processing. Attack surface includes any system with network connectivity to Ceph clusters, requiring no authentication to trigger.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.202 | 6405e8c68097 |
| 6.1 | 6.1.165 | 8d745d38c88e |
| 6.12 | 6.12.75 | 1b275bd49e58 |
| 6.18 | 6.18.16 | c1a0f5f1e5e7 |
| 6.19 | 6.19.6 | d82467c07b03 |
| 6.6 | 6.6.128 | e1dc45d97975 |
| mainline | 7.0 | ac431d597a9b |