PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43407 Linux CVE debrief

CVE-2026-43407 is a critical Linux kernel libceph vulnerability in ceph_handle_auth_reply(). A malformed CEPH_MSG_AUTH_REPLY message can drive an integer overflow in payload_len, turning a length into a negative value and leading to an out-of-bounds read. The issue was published on 2026-05-08 and last modified on 2026-05-21; official stable kernel patch references are listed in the source corpus.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distro security teams, and operators running Ceph-connected systems on affected kernel branches should prioritize this issue. It is especially relevant for environments where hosts process untrusted or externally influenced Ceph traffic, including cluster nodes and clients.

Technical summary

The NVD record and kernel fix description indicate that ceph_handle_auth_reply() stored payload_len in an int. For values greater than INT_MAX, the length could overflow into a negative number, which then affects pointer arithmetic and allows ceph_decode_need() to validate only the end boundary while still permitting an invalid read before the allocation. The patch changes payload_len and result_msg_len to u32 and adds sanity checks that reject values larger than the overall segment length immediately after parsing. NVD classifies the weakness as CWE-125 and rates it CVSS 3.1 9.1/Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

Defensive priority

Critical. Patch and verify exposure promptly, especially on any host that may handle Ceph authentication replies. The vulnerability is network-reachable in the CVSS vector and affects a broad set of Linux kernel release branches listed by NVD.

Recommended defensive actions

  • Update affected Linux kernels to a vendor build that includes the libceph fix.
  • Confirm whether any systems use Ceph and whether they run kernel versions in the affected ranges reported by NVD.
  • Prioritize internet-facing, cluster, and storage nodes that process Ceph traffic.
  • Track distro advisories and backport status for the kernel branches you operate, since the official fix is provided through stable kernel patches.
  • Validate remediation by checking the installed kernel against your vendor's fixed-package guidance rather than relying only on upstream version labels.

Evidence notes

Supported by the supplied NVD record and kernel patch references. The source corpus states that payload_len and result_msg_len were changed to u32 and that additional ceph_decode_need() sanity checks were added. NVD lists affected kernel branches including 2.6.34.1 through before 5.10.253, 5.11 through before 5.15.203, 5.16 through before 6.1.167, 6.2 through before 6.6.130, 6.7 through before 6.12.78, 6.13 through before 6.18.19, 6.19 through before 6.19.9, plus 2.6.34 release variants and 7.0-rc1 through rc3. No KEV listing is present in the supplied enrichment.

Official resources

CVE published by NVD on 2026-05-08 and last modified on 2026-05-21. The supplied corpus links to multiple official stable kernel patch commits as mitigation references.