CVE-2026-23189 in Linux
Summary
by MITRE • 02/14/2026
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix NULL pointer dereference in ceph_mds_auth_match()
The CephFS kernel client has regression starting from 6.18-rc1. We have issue in ceph_mds_auth_match() if fs_name == NULL:
const char fs_name = mdsc->fsc->mount_options->mds_namespace; ... if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {
/ fsname mismatch, try next one */ return 0; }
Patrick Donnelly suggested that: In summary, we should definitely start decoding `fs_name` from the MDSMap and do strict authorizations checks against it. Note that the `-o mds_namespace=foo` should only be used for selecting the file system to mount and nothing else. It's possible no mds_namespace is specified but the kernel will mount the only file system that exists which may have name "foo".
This patch reworks ceph_mdsmap_decode() and namespace_equals() with the goal of supporting the suggested concept. Now struct ceph_mdsmap contains m_fs_name field that receives copy of extracted FS name by ceph_extract_encoded_string(). For the case of "old" CephFS file systems, it is used "cephfs" name.
[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),
get rid of a series of strlen() calls in ceph_namespace_match(), drop changes to namespace_equals() body to avoid treating empty mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap() as namespace_equals() isn't an equivalent substitution there ]
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/05/2026
The vulnerability CVE-2026-23189 represents a critical NULL pointer dereference flaw within the Linux kernel's CephFS client implementation, specifically in the ceph_mds_auth_match() function. This issue emerged as a regression starting from kernel version 6.18-rc1, affecting the Ceph File System's authentication and authorization mechanisms. The flaw occurs when the fs_name parameter becomes NULL during authentication processing, creating a potential crash condition that could be exploited to disrupt file system operations and compromise system stability. The vulnerability directly impacts the CephFS kernel client's ability to properly validate and match file system namespaces during authentication procedures, fundamentally undermining the security posture of systems relying on Ceph distributed storage.
The technical implementation of this vulnerability stems from improper handling of the mds_namespace parameter within the CephFS authentication flow. When the kernel client attempts to authenticate against a Ceph Metadata Server, the ceph_mds_auth_match() function processes the file system name without adequate NULL checking. The problematic code path involves extracting the fs_name from mdsc->fsc->mount_options->mds_namespace and subsequently comparing it against authentication match parameters. When fs_name evaluates to NULL, the strcmp() function call fails catastrophically, leading to a kernel panic or system crash. This represents a classic NULL pointer dereference vulnerability (CWE-476) that violates proper input validation and defensive programming principles.
The operational impact of this vulnerability extends beyond simple system instability, potentially enabling denial-of-service attacks against Ceph storage clusters and compromising the availability of critical file system services. Attackers could exploit this flaw by manipulating mount parameters or network conditions to trigger the NULL pointer dereference, causing the kernel to crash and requiring system restarts. The vulnerability affects systems using CephFS clients in production environments where authentication and authorization are critical for maintaining data integrity and access control. Organizations relying on Ceph distributed storage solutions face significant operational risks, as this vulnerability could be leveraged to disrupt services or potentially gain unauthorized access to storage resources through carefully crafted authentication requests.
The fix implemented addresses this vulnerability by reworking the ceph_mdsmap_decode() and namespace_equals() functions to properly handle namespace extraction and comparison operations. The solution introduces a dedicated m_fs_name field within the ceph_mdsmap structure to store extracted file system names, utilizing ceph_extract_encoded_string() to ensure proper string handling. This approach eliminates the NULL pointer dereference by guaranteeing that file system names are always properly initialized, even for legacy CephFS installations that may not explicitly specify an mds_namespace. The patch also removes redundant string length calculations and streamlines the namespace matching logic, improving both security and performance. This remediation aligns with ATT&CK technique T1499.004 for avoiding detection through proper input validation and follows security best practices for preventing kernel-level crashes through defensive programming. The implementation ensures that when no explicit mds_namespace is specified, the system correctly identifies and mounts the only available file system, maintaining backward compatibility while eliminating the security flaw that could be exploited for privilege escalation or system compromise.