CVE-2026-23201 in Linuxinfo

Summary

by MITRE • 02/14/2026

In the Linux kernel, the following vulnerability has been resolved:

ceph: fix oops due to invalid pointer for kfree() in parse_longname()

This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`.

The variable str is guarded by __free(kfree), but advanced by one for skipping the initial '_' in snapshot names. Thus, kfree() is called with an invalid pointer. This patch removes the need for advancing the pointer so kfree() is called with correct memory pointer.

Steps to reproduce:

1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase)

2. Add cephfs mount to fstab $ echo "[email protected]=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab

3. Reboot the system $ systemctl reboot

4. Check if it's really mounted $ mount | grep stuff

5. List snapshots (expected 63 snapshots on my system) $ ls /mnt/test/stuff/.snap

Now ls hangs forever and the kernel log shows the oops.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/24/2026

This vulnerability exists within the Linux kernel's Ceph file system implementation where a kernel oops occurs when attempting to read Ceph snapshot directories through the parse_longname() function. The issue manifests when users execute simple directory listing operations such as ls /mnt/my_ceph/.snap on Ceph file system volumes that contain snapshot directories. The root cause involves improper memory management where a pointer variable named str is advanced by one position to skip the initial underscore character in snapshot names, yet the original pointer value is still passed to kfree() for memory deallocation. This fundamental flaw in pointer arithmetic results in a kernel oops condition that crashes the system's kernel execution.

The technical flaw represents a classic case of invalid pointer dereference that aligns with CWE-415, which describes improper handling of memory allocation and deallocation operations. The vulnerability specifically occurs in the Ceph file system kernel module where memory allocated for snapshot name processing is incorrectly managed during the parsing phase. The variable str undergoes pointer arithmetic to skip the leading underscore character that identifies snapshot directories, but this advancement creates a scenario where kfree() operates on a memory address that was never allocated to the current pointer reference. This improper pointer manipulation violates fundamental kernel memory management principles and creates a condition where the kernel cannot safely free memory resources.

The operational impact of this vulnerability is severe as it causes the system to hang indefinitely when attempting to list snapshot directories, effectively rendering the Ceph file system mount point unusable for snapshot operations. The kernel oops condition not only prevents normal file system operations but also potentially exposes the system to broader stability issues that could affect other kernel subsystems. This vulnerability affects systems running Linux kernel versions where the Ceph file system implementation has not been patched, particularly impacting enterprise environments that rely heavily on Ceph distributed storage solutions for their data management needs. The hanging behavior during ls operations indicates a complete system lockup that requires manual intervention through system reboot to restore functionality.

The recommended mitigation strategy involves applying the kernel patch that corrects the pointer arithmetic in the parse_longname() function to ensure that kfree() is always called with the original allocated memory pointer rather than an advanced pointer position. This fix aligns with ATT&CK technique T1547.001 which involves modifying system boot processes and kernel modules to maintain system stability. System administrators should prioritize applying this patch to all affected systems, particularly those running Ceph file system mounts with snapshot directories. Additionally, monitoring systems should be configured to detect kernel oops conditions and alert administrators to potential memory corruption issues that could indicate similar vulnerabilities in other kernel subsystems. The patch implementation should be tested in staging environments before deployment to production systems to ensure no regressions in Ceph file system functionality occur during the remediation process.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00112

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!