PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46119 Linux CVE debrief

A slab-out-of-bounds access vulnerability exists in the Linux kernel's libceph component during Ceph authentication message processing. The flaw occurs when a corrupted CEPH_MSG_AUTH_REPLY message contains a positive value in its result field, which is incorrectly treated as an error code. This value is subsequently interpreted as a size parameter for the front segment of a CEPH_MSG_AUTH message, potentially causing out-of-bounds memory access and transmission of unintended kernel memory contents. The vulnerability was resolved by modifying error handling to treat only negative values as errors, with positive values now handled as success cases equivalent to zero. An additional BUG_ON assertion was added to __send_prepared_auth_request() to validate size parameters against allocated buffer bounds.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Linux kernel administrators operating Ceph storage clusters, security teams monitoring kernel memory safety issues, and organizations relying on Ceph distributed storage infrastructure

Technical summary

The vulnerability stems from improper error code interpretation in ceph_handle_auth_reply() where positive result values from corrupted CEPH_MSG_AUTH_REPLY messages are propagated as error codes. These values are then misused as length parameters in __send_prepared_auth_request(), causing slab-out-of-bounds reads. The fix restricts error handling to negative values only and adds runtime bounds checking via BUG_ON to prevent transmission of oversized segments.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable branches as referenced in official CVE sources
  • Review Ceph cluster authentication message handling for anomalous CEPH_MSG_AUTH_REPLY messages with unexpected positive result values
  • Monitor kernel logs for BUG_ON triggers in __send_prepared_auth_request indicating potential exploitation attempts
  • Validate Ceph authentication message integrity through network-level controls where feasible
  • Prioritize patching systems with exposed Ceph client or monitor interfaces

Evidence notes

Vulnerability description and resolution details sourced from official CVE record and NVD entry published 2026-05-28. Patch commits referenced in source metadata confirm fix implementation across stable kernel branches.

Official resources

2026-05-28