{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22991", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.937Z", "datePublished": "2026-01-23T15:24:12.191Z", "dateUpdated": "2026-05-11T21:57:53.477Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:57:53.477Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make free_choose_arg_map() resilient to partial allocation\n\nfree_choose_arg_map() may dereference a NULL pointer if its caller fails\nafter a partial allocation.\n\nFor example, in decode_choose_args(), if allocation of arg_map->args\nfails, execution jumps to the fail label and free_choose_arg_map() is\ncalled. Since arg_map->size is updated to a non-zero value before memory\nallocation, free_choose_arg_map() will iterate over arg_map->args and\ndereference a NULL pointer.\n\nTo prevent this potential NULL pointer dereference and make\nfree_choose_arg_map() more resilient, add checks for pointers before\niterating."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ceph/osdmap.c"], "versions": [{"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c", "lessThan": "9b3730dabcf3764bfe3ff07caf55e641a0b45234", "status": "affected", "versionType": "git"}, {"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c", "lessThan": "851241d3f78a5505224dc21c03d8692f530256b4", "status": "affected", "versionType": "git"}, {"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c", "lessThan": "ec1850f663da64842614c86b20fe734be070c2ba", "status": "affected", "versionType": "git"}, {"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c", "lessThan": "8081faaf089db5280c3be820948469f7c58ef8dd", "status": "affected", "versionType": "git"}, {"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c", "lessThan": "c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf", "status": "affected", "versionType": "git"}, {"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c", "lessThan": "f21c3fdb96833aac2f533506899fe38c19cf49d5", "status": "affected", "versionType": "git"}, {"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c", "lessThan": "e3fe30e57649c551757a02e1cad073c47e1e075e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ceph/osdmap.c"], "versions": [{"version": "4.13", "status": "affected"}, {"version": "0", "lessThan": "4.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.248", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.198", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.161", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.121", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.66", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "5.10.248"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "5.15.198"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.1.161"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.6.121"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.12.66"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234"}, {"url": "https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4"}, {"url": "https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba"}, {"url": "https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd"}, {"url": "https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf"}, {"url": "https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5"}, {"url": "https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e"}], "title": "libceph: make free_choose_arg_map() resilient to partial allocation", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "14DEF845-E647-4A78-9311-A8F1A59E3A66", "versionEndExcluding": "5.10.248", "versionStartIncluding": "4.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E", "versionEndExcluding": "5.15.198", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E135B7E2-61FC-4DC1-8570-ABD67894FFDE", "versionEndExcluding": "6.1.161", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB7A164B-7422-4A1C-82FB-5FCAEE53C06C", "versionEndExcluding": "6.6.121", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F72B884C-B44F-40E4-9895-CE421AC663D0", "versionEndExcluding": "6.12.66", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "879529BC-5B4C-4EBE-BF1D-1A31404A8B2E", "versionEndExcluding": "6.18.6", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make free_choose_arg_map() resilient to partial allocation\n\nfree_choose_arg_map() may dereference a NULL pointer if its caller fails\nafter a partial allocation.\n\nFor example, in decode_choose_args(), if allocation of arg_map->args\nfails, execution jumps to the fail label and free_choose_arg_map() is\ncalled. Since arg_map->size is updated to a non-zero value before memory\nallocation, free_choose_arg_map() will iterate over arg_map->args and\ndereference a NULL pointer.\n\nTo prevent this potential NULL pointer dereference and make\nfree_choose_arg_map() more resilient, add checks for pointers before\niterating."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nlibceph: hacer free_choose_arg_map() resistente a la asignaci\u00f3n parcial\n\nfree_choose_arg_map() puede desreferenciar un puntero NULL si su llamador falla despu\u00e9s de una asignaci\u00f3n parcial.\n\nPor ejemplo, en decode_choose_args(), si la asignaci\u00f3n de arg_map->args falla, la ejecuci\u00f3n salta a la etiqueta fail y se llama a free_choose_arg_map(). Dado que arg_map->size se actualiza a un valor distinto de cero antes de la asignaci\u00f3n de memoria, free_choose_arg_map() iterar\u00e1 sobre arg_map->args y desreferenciar\u00e1 un puntero NULL.\n\nPara evitar esta potencial desreferencia de puntero NULL y hacer free_choose_arg_map() m\u00e1s resistente, a\u00f1adir comprobaciones para los punteros antes de iterar."}], "id": "CVE-2026-22991", "lastModified": "2026-04-27T14:16:28.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-23T16:15:55.183", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: libceph: make free_choose_arg_map() resilient to partial allocation", "id": "2432384", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432384"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-22991", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22991\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22991\nhttps://lore.kernel.org/linux-cve-announce/2026012351-CVE-2026-22991-e4a2@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-28T09:46:28.465329+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a patched version such as any later release that includes the fixed free_choose_arg_map() function.", "If an immediate kernel upgrade is not possible, backport the commit that adds NULL pointer checks to free_choose_arg_map() from the upstream repository.", "Monitor system logs for kernel oops entries related to libceph and consider disabling or sandboxing Ceph mounts until a patch is applied."], "summary": {"action": "Update Kernel", "impact": "NULL pointer dereference leading to kernel crash"}, "threat_synthesis": {"affected_systems": "All builds of the Linux Kernel that include the vulnerable libceph code are affected, specifically the 6.19 release candidates (rc1 through rc4) and any kernel versions derived from them before the patch was backported. Upgrading to a later release that contains the fix removes the vulnerability.", "description_and_impact": "The vulnerability resides in the free_choose_arg_map() function in the Linux kernel\u2019s libceph subsystem. When the allocation of arg_map->args fails, the caller can still set arg_map->size to a non\u2011zero value and then jump to the failure path. During cleanup, free_choose_arg_map() iterates over arg_map->args and dereferences a NULL pointer, which triggers a kernel fault. This manifests as a system crash and therefore results in a denial of service. The weakness is a classic NULL pointer dereference (CWE\u2011476).", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% shows that this issue is considered unlikely to be exploited in the near term. It is not listed in the CISA KEV catalog, meaning no known widespread exploitation has been observed. The attack would likely require the ability to trigger the partial allocation failure path in the Ceph subsystem, which may be achieved locally by interacting with a Ceph client or potentially remotely if the Ceph interface is exposed. Based on the description, the attack vector is inferred to involve inducing a failure in decode_choose_args(), leading to the null dereference and subsequent crash."}}}}, "created": "2026-04-18T15:15:03.695398+00:00", "updated": "2026-04-28T10:00:06.488101+00:00", "vendors": []}