CVE-2026-22991 Overview
A NULL pointer dereference vulnerability has been identified in the Linux kernel's libceph component. The vulnerability exists in the free_choose_arg_map() function, which may dereference a NULL pointer if its caller fails after a partial memory allocation. This flaw occurs specifically in the decode_choose_args() function when allocation of arg_map->args fails—execution jumps to the fail label and free_choose_arg_map() is called with an improperly initialized structure.
Critical Impact
A NULL pointer dereference in kernel space can lead to a kernel panic, causing system crashes and denial of service conditions on affected Linux systems running Ceph storage configurations.
Affected Products
- Linux Kernel (multiple stable versions)
- Systems utilizing the libceph kernel module
- Ceph storage cluster client implementations
Discovery Timeline
- 2026-01-23 - CVE CVE-2026-22991 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2026-22991
Vulnerability Analysis
This vulnerability is a classic NULL pointer dereference resulting from inadequate error handling during memory allocation operations. The root issue lies in the sequencing of operations within decode_choose_args(): the function updates arg_map->size to a non-zero value before actually allocating memory for arg_map->args. When the subsequent memory allocation fails, the cleanup routine free_choose_arg_map() incorrectly assumes the memory was allocated because arg_map->size indicates a non-zero count.
The libceph module is responsible for handling communication between Linux systems and Ceph distributed storage clusters. The CRUSH algorithm (Controlled Replication Under Scalable Hashing) uses choose_arg structures for data placement calculations. When these structures fail to allocate properly during cluster map decoding, the cleanup path becomes vulnerable.
Root Cause
The vulnerability stems from a race between state modification and memory allocation. The arg_map->size field is set prior to the corresponding memory allocation for arg_map->args. When allocation fails:
- arg_map->size contains a non-zero value
- arg_map->args remains NULL (allocation failed)
- free_choose_arg_map() iterates based on size and attempts to access NULL args pointer
The fix adds explicit NULL pointer checks before iterating over arg_map->args, making the cleanup function resilient to partial allocation states regardless of when the failure occurs.
Attack Vector
The attack vector for this vulnerability involves scenarios where memory allocation can be induced to fail during Ceph cluster map decoding operations. While local access would typically be required to trigger memory pressure conditions, systems under heavy memory load or those processing malformed CRUSH map data could potentially encounter this condition. The vulnerability could be triggered through:
- Memory exhaustion scenarios causing kmalloc failures
- Processing of malformed or oversized CRUSH map configurations
- Cluster reconfiguration events during low-memory conditions
Detection Methods for CVE-2026-22991
Indicators of Compromise
- Kernel panic or oops messages referencing free_choose_arg_map or libceph module functions
- System crashes occurring during Ceph cluster map updates or client mount operations
- Kernel log entries showing NULL pointer dereference in the ceph subsystem
Detection Strategies
- Monitor kernel logs for NULL pointer dereference errors involving libceph components using dmesg or syslog
- Implement kernel crash dump analysis to identify stack traces pointing to free_choose_arg_map() function
- Use kernel tracing tools (ftrace, eBPF) to monitor ceph module function calls during cluster operations
Monitoring Recommendations
- Deploy kernel event monitoring for oops and panic conditions in production environments
- Configure kdump for automatic kernel crash dump collection to capture forensic evidence
- Monitor Ceph client connection and map decode operations for anomalous failures
How to Mitigate CVE-2026-22991
Immediate Actions Required
- Update Linux kernel to patched versions containing the fix for free_choose_arg_map() resilience
- Review and apply kernel patches from the official Git commits provided by kernel maintainers
- Consider temporarily reducing memory pressure on affected systems if immediate patching is not possible
Patch Information
Multiple kernel stable branches have received patches to address this vulnerability. The fix adds NULL pointer checks to free_choose_arg_map() before iterating over the args array, ensuring safe cleanup regardless of allocation state.
Official patches are available from the following kernel Git commits:
- Kernel Git Commit 8081faaf
- Kernel Git Commit 851241d3
- Kernel Git Commit 9b3730da
- Kernel Git Commit c4c2152a
- Kernel Git Commit e3fe30e5
- Kernel Git Commit ec1850f6
- Kernel Git Commit f21c3fdb
Workarounds
- Unload the libceph kernel module if Ceph storage is not required on affected systems
- Ensure adequate system memory is available to minimize allocation failure scenarios
- Consider using userspace Ceph clients (librados) instead of kernel clients until patching is complete
# Check if libceph module is loaded
lsmod | grep ceph
# Unload libceph module if not in use (temporary workaround)
sudo modprobe -r ceph
sudo modprobe -r libceph
# Verify current kernel version
uname -r
# Update kernel to patched version (example for Debian/Ubuntu)
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
