CVE-2026-43304: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-43304 Overview

CVE-2026-43304 is a vulnerability in the Linux kernel's libceph subsystem. The flaw resides in process_auth_done(), where the kernel decodes authentication key material without enforcing a maximum length. An attacker can send crafted authentication data that exceeds the fixed-size buffer used during key processing. The upstream fix introduces a new CEPH_MAX_KEY_LEN constant and enforces it during decoding. The patch also removes the prior check that only rejected zero-length keys, which was incomplete because it required excluding CEPH_CRYPTO_NONE and ignored undersized key material.

Critical Impact

A network-accessible attacker can supply oversized key material to a Ceph client, triggering memory corruption in kernel space with potential for code execution or denial of service.

Affected Products

• Linux Kernel (libceph module) — multiple stable branches
• Distributions shipping vulnerable kernels with Ceph client support enabled
• Systems mounting CephFS or using RBD via the in-kernel Ceph client

Discovery Timeline

• 2026-05-08 - CVE-2026-43304 published to NVD
• 2026-05-15 - Last updated in NVD database

Technical Details for CVE-2026-43304

Vulnerability Analysis

The vulnerability sits inside process_auth_done() in the kernel's Ceph client library. When the client negotiates authentication with a Ceph monitor, it decodes server-supplied key material into a fixed-size buffer. The pre-patch code only checked whether the key was empty. It did not validate the upper bound of the key length before copying bytes into the destination buffer.

An attacker positioned to respond to the client's authentication exchange can supply key material larger than the buffer can hold. The decoding routine then writes past the buffer boundary, corrupting adjacent kernel memory. Because the attack reaches kernel context, successful exploitation can lead to privilege escalation, kernel panic, or arbitrary code execution.

The condition is classified under [NVD-CWE-noinfo], but the behavior maps to a classic missing input validation issue producing an out-of-bounds write. The fix replaces the empty-key check with a strict CEPH_MAX_KEY_LEN boundary enforced before any copy occurs.

Root Cause

The root cause is missing input validation in the Ceph authentication decode path. The kernel trusted the length field from the peer and copied key bytes into a fixed buffer without verifying that the declared size would fit. The prior sanity check only rejected zero-length keys and excluded the CEPH_CRYPTO_NONE case, leaving oversized keys unchecked.

Attack Vector

Exploitation requires the target system to initiate or maintain a Ceph client connection. An attacker who controls or impersonates a Ceph monitor — or who can perform a man-in-the-middle on unauthenticated traffic — supplies a malformed authentication reply containing an oversized key. No user interaction or local privileges are required. The vulnerability is reachable over the network wherever the Ceph client trusts the peer during the initial handshake.

No public proof-of-concept exploit code is available. Readers should consult the upstream kernel commits for the precise code-level details of the decoding flow and the fix.

Detection Methods for CVE-2026-43304

Indicators of Compromise

• Unexpected kernel oops, panic, or BUG: messages referencing libceph, process_auth_done, or ceph_x_decrypt in dmesg and /var/log/kern.log.
• Ceph client sessions repeatedly failing authentication against unknown or unexpected monitor endpoints.
• Connections from Ceph clients to monitor IPs outside the documented storage cluster CIDR.

Detection Strategies

• Inventory hosts where CONFIG_CEPH_LIB is enabled and the libceph, ceph, or rbd modules are loaded; treat these as in scope.
• Monitor kernel ring buffer telemetry for crashes or warnings originating in the Ceph client path and correlate with network activity to TCP/6789 and TCP/3300.
• Inspect netflow or eBPF telemetry for Ceph client traffic terminating at endpoints not on the approved monitor list.

Monitoring Recommendations

• Forward kernel logs and crash dumps to a centralized logging or SIEM platform and alert on libceph panics.
• Baseline expected Ceph monitor destinations and alert on deviation, particularly outbound traffic to unmanaged hosts.
• Track kernel package versions across the fleet and flag any host still running a pre-patch build.

How to Mitigate CVE-2026-43304

Immediate Actions Required

• Apply the kernel updates from your Linux distribution that include the CEPH_MAX_KEY_LEN fix and reboot affected hosts.
• On systems that do not use Ceph, unload and blacklist the ceph, libceph, and rbd modules to remove the attack surface.
• Restrict egress so Ceph clients can only reach known monitor IP addresses on TCP/6789 and TCP/3300.

Patch Information

The upstream fix is distributed across multiple stable branches. See the relevant commits: 1b275bd, 6405e8c, 8d745d3, ac431d5, c1a0f5f, d82467c, and e1dc45d. Consult your distribution's security tracker for the corresponding package release.

Workarounds

• Disable in-kernel Ceph access on hosts that do not require it and rely on userspace clients where feasible.
• Enforce cephx authentication and require ms_client_mode=secure and ms_cluster_mode=secure so all traffic is mutually authenticated and encrypted.
• Use network segmentation or firewall rules to ensure Ceph traffic is confined to a trusted storage VLAN.

# Block the libceph module on hosts that do not use Ceph
echo 'blacklist ceph'    | sudo tee /etc/modprobe.d/disable-ceph.conf
echo 'blacklist libceph' | sudo tee -a /etc/modprobe.d/disable-ceph.conf
echo 'blacklist rbd'     | sudo tee -a /etc/modprobe.d/disable-ceph.conf
sudo update-initramfs -u

# Verify the running kernel version after patching
uname -r