| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026012351-CVE-2026-22991-e4a2@gregkh> Date: Fri, 23 Jan 2026 16:25:02 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2026-22991: libceph: make free_choose_arg_map() resilient to partial allocation From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating. The Linux kernel CVE team has assigned CVE-2026-22991 to this issue. Affected and fixed versions =========================== Fixed in 5.10.248 with commit 9b3730dabcf3764bfe3ff07caf55e641a0b45234 Fixed in 5.15.198 with commit 851241d3f78a5505224dc21c03d8692f530256b4 Fixed in 6.1.161 with commit ec1850f663da64842614c86b20fe734be070c2ba Fixed in 6.6.121 with commit 8081faaf089db5280c3be820948469f7c58ef8dd Fixed in 6.12.66 with commit c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf Fixed in 6.18.6 with commit f21c3fdb96833aac2f533506899fe38c19cf49d5 Fixed in 6.19-rc5 with commit e3fe30e57649c551757a02e1cad073c47e1e075e Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-22991 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ceph/osdmap.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234 https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4 https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5 https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e
Powered by blists - more mailing lists