CVE-2026-46024 Overview
CVE-2026-46024 is a null pointer dereference vulnerability in the Linux kernel's libceph subsystem. The flaw resides in the ceph_handle_auth_reply() function, which processes messages of type CEPH_MSG_AUTH_REPLY from Ceph cluster peers. When a reply message contains zero values for both the protocol and result fields, the kernel fails to treat the condition as an error. This results in ac->protocol being set to 0 and ac->ops being set to NULL, after which ac->ops->handle_reply() is invoked, triggering a null pointer dereference.
Critical Impact
A malformed authentication reply from a Ceph peer can crash the kernel through a null pointer dereference in libceph, resulting in denial of service on systems mounting Ceph filesystems or using RBD block devices.
Affected Products
- Linux kernel versions containing the vulnerable libceph authentication handling code
- Systems using libceph for CephFS, RBD, or RADOS client functionality
- Distributions shipping unpatched stable kernels referenced in the upstream commits
Discovery Timeline
- 2026-05-27 - CVE-2026-46024 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46024
Vulnerability Analysis
The vulnerability exists in the ceph_handle_auth_reply() function within the Linux kernel's libceph module. This function processes CEPH_MSG_AUTH_REPLY messages exchanged during authentication negotiation between a Ceph client and monitor. The logic does not validate the case where both the protocol and result fields in the reply are zero.
When ac->negotiating is true and ac->protocol holds a positive value, processing a zero-protocol reply causes ac->protocol to be reset to 0 and ac->ops to be cleared to NULL. The subsequent equality check ac->protocol != protocol evaluates to false because both sides are now zero, bypassing the call to init_protocol(). Execution then proceeds to dereference ac->ops->handle_reply(), which crashes the kernel.
Root Cause
The root cause is improper input validation [CWE-476] of the protocol field in authentication replies. The original comparison ac->protocol != protocol does not detect the case where the protocol field is zero, leaving a code path that operates on a NULL operations pointer. The upstream fix replaces the comparison with !ac->protocol, which forces zero-protocol replies to be treated as containing a bad authentication protocol.
Attack Vector
Exploitation requires the ability to deliver a crafted CEPH_MSG_AUTH_REPLY message to a vulnerable client. A malicious or compromised Ceph monitor, or an attacker positioned in the network path between a client and monitor without proper transport security, can send a message with both protocol and result set to zero. The resulting null pointer dereference crashes the client kernel, producing a denial of service condition. Refer to the upstream commits for technical details of the patched code path.
Detection Methods for CVE-2026-46024
Indicators of Compromise
- Kernel oops or panic messages referencing ceph_handle_auth_reply or libceph in the call stack
- Unexpected client disconnects from Ceph monitors followed by kernel crash dumps
- CEPH_MSG_AUTH_REPLY packets observed with both protocol and result fields set to zero in network captures
Detection Strategies
- Inspect kernel crash dumps and dmesg output for null pointer dereference traces inside libceph authentication functions
- Monitor Ceph client logs for repeated authentication failures or abrupt session terminations preceding host reboots
- Audit installed kernel package versions against the upstream stable commits listed in the vendor advisories
Monitoring Recommendations
- Enable persistent kernel crash collection via kdump on hosts mounting CephFS or consuming RBD volumes
- Track Ceph monitor connectivity events and correlate client-side reboots with auth negotiation activity
- Restrict and log network paths between Ceph clients and monitors to detect unauthorized peers injecting traffic
How to Mitigate CVE-2026-46024
Immediate Actions Required
- Apply the upstream stable kernel patches that change the protocol check in ceph_handle_auth_reply() to !ac->protocol
- Update affected Linux distributions to kernel versions that include the referenced fix commits
- Restrict Ceph monitor access to trusted networks and authenticated peers only
Patch Information
The upstream fix is available in the Linux kernel stable tree across multiple branches. See the patch commits: 016bc663657366d386993f63eb31072eb45a2b77, 4b2738b93edad661178340239de657d876b73d3d, 5199c125d25aeae8615c4fc31652cc0fe624338e, 8f2be7285941a33a9f72579a23b96392f83c758e, and 927e4bd5692f2a4901808822981fb2c8d4456548.
Workarounds
- Unmount CephFS and disconnect RBD clients on hosts that cannot be patched immediately
- Enforce cephx authentication and ms_mode=secure transport to prevent untrusted peers from injecting auth replies
- Use network segmentation and firewall rules to limit which hosts can communicate with Ceph monitor ports
# Verify the running kernel version and check for the libceph module
uname -r
modinfo libceph | grep -E 'version|filename'
# Temporarily prevent automatic CephFS mounts until kernel is patched
sudo systemctl mask ceph-client.target
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
