CVE-2026-23189 Overview
A NULL pointer dereference vulnerability has been identified in the Linux kernel's CephFS client, specifically within the ceph_mds_auth_match() function. This regression, introduced in kernel version 6.18-rc1, occurs when the fs_name variable is NULL during authorization matching operations. The vulnerability arises from improper handling of the mds_namespace mount option, where the kernel attempts to perform a string comparison against a NULL pointer when no namespace is explicitly specified during mount operations.
Critical Impact
This vulnerability can cause a kernel panic or system crash when CephFS clients attempt to authenticate against the Metadata Server (MDS) without explicitly specifying an mds_namespace mount option, leading to denial of service conditions on affected systems.
Affected Products
- Linux kernel versions starting from 6.18-rc1
- Systems using the CephFS kernel client
- Ceph distributed storage deployments utilizing kernel-based CephFS mounts
Discovery Timeline
- February 14, 2026 - CVE CVE-2026-23189 published to NVD
- February 18, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23189
Vulnerability Analysis
The vulnerability exists in the CephFS kernel client's authorization matching logic within ceph_mds_auth_match(). When a CephFS mount is performed without specifying the -o mds_namespace= option, the fs_name variable derived from mdsc->fsc->mount_options->mds_namespace can be NULL. The existing code attempted to compare this potentially NULL value using strcmp() without proper null-checking, resulting in a NULL pointer dereference.
The issue is particularly relevant because while the mds_namespace mount option was originally intended only for selecting which file system to mount, the authorization code incorrectly assumed it would always contain a valid string value. In scenarios where only a single CephFS file system exists, users may omit the namespace specification entirely, triggering the vulnerability during authentication.
Root Cause
The root cause is improper validation of the fs_name pointer before use in string comparison operations. The ceph_mds_auth_match() function assumes that mdsc->fsc->mount_options->mds_namespace always contains a valid string, but this field can legitimately be NULL when users don't specify the -o mds_namespace= mount option. The fix involves reworking ceph_mdsmap_decode() and namespace_equals() to properly extract and store the filesystem name from the MDSMap into a new m_fs_name field in struct ceph_mdsmap, defaulting to "cephfs" for legacy file systems.
Attack Vector
This vulnerability is triggered locally when mounting a CephFS filesystem without specifying the mds_namespace mount option. An attacker with local access to a system configured to use CephFS could potentially trigger this vulnerability to cause a denial of service by initiating mount operations. The attack requires the ability to execute mount commands on the affected system.
The vulnerable code path is executed during the MDS authentication process, making the attack surface limited to scenarios where CephFS mount operations are performed.
Detection Methods for CVE-2026-23189
Indicators of Compromise
- Kernel panic messages containing references to ceph_mds_auth_match in the call stack
- System crashes during CephFS mount operations, particularly those without explicit mds_namespace option
- Kernel oops logs showing NULL pointer dereference in CephFS-related functions
Detection Strategies
- Monitor kernel logs for NULL pointer dereference errors originating from the Ceph kernel module
- Implement log analysis rules to detect patterns matching BUG: kernel NULL pointer dereference combined with ceph_mds_auth_match
- Review system audit logs for CephFS mount operations that do not include the mds_namespace parameter
Monitoring Recommendations
- Enable kernel crash dump collection to capture detailed information for post-incident analysis
- Configure centralized logging to aggregate kernel messages from systems with CephFS deployments
- Set up alerts for system instability indicators on CephFS client nodes
How to Mitigate CVE-2026-23189
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix commits
- Temporarily specify the -o mds_namespace=<fs_name> option explicitly for all CephFS mount operations
- Audit existing CephFS mount configurations to ensure namespace options are properly specified
- Monitor affected systems for unexpected crashes or instability
Patch Information
The vulnerability has been addressed through kernel patches that rework the ceph_mdsmap_decode() and namespace_equals() functions. The fix introduces a new m_fs_name field in struct ceph_mdsmap that properly stores the filesystem name extracted via ceph_extract_encoded_string(), defaulting to "cephfs" for older CephFS deployments. The relevant patches are available in the following kernel commits:
Workarounds
- Explicitly specify the mds_namespace mount option when mounting CephFS filesystems to avoid the NULL pointer condition
- Update /etc/fstab entries for CephFS mounts to include the namespace parameter
- Consider using the Ceph FUSE client (ceph-fuse) as an alternative until kernel patches are applied
# Configuration example
# Workaround: Explicitly specify mds_namespace when mounting CephFS
mount -t ceph <mon_addrs>:/ /mnt/cephfs -o name=admin,secret=<key>,mds_namespace=cephfs
# Update /etc/fstab to include mds_namespace option
# <mon_addrs>:/ /mnt/cephfs ceph name=admin,secretfile=/etc/ceph/secret,mds_namespace=cephfs 0 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
