{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23189", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.985Z", "datePublished": "2026-02-14T16:27:17.549Z", "dateUpdated": "2026-05-11T22:02:02.973Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:02.973Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix NULL pointer dereference in ceph_mds_auth_match()\n\nThe CephFS kernel client has regression starting from 6.18-rc1.\nWe have issue in ceph_mds_auth_match() if fs_name == NULL:\n\n const char fs_name = mdsc->fsc->mount_options->mds_namespace;\n ...\n if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {\n / fsname mismatch, try next one */\n return 0;\n }\n\nPatrick Donnelly suggested that: In summary, we should definitely start\ndecoding `fs_name` from the MDSMap and do strict authorizations checks\nagainst it. Note that the `-o mds_namespace=foo` should only be used for\nselecting the file system to mount and nothing else. It's possible\nno mds_namespace is specified but the kernel will mount the only\nfile system that exists which may have name \"foo\".\n\nThis patch reworks ceph_mdsmap_decode() and namespace_equals() with\nthe goal of supporting the suggested concept. Now struct ceph_mdsmap\ncontains m_fs_name field that receives copy of extracted FS name\nby ceph_extract_encoded_string(). For the case of \"old\" CephFS file\nsystems, it is used \"cephfs\" name.\n\n[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),\n get rid of a series of strlen() calls in ceph_namespace_match(),\n drop changes to namespace_equals() body to avoid treating empty\n mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap()\n as namespace_equals() isn't an equivalent substitution there ]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ceph/mds_client.c", "fs/ceph/mdsmap.c", "fs/ceph/mdsmap.h", "fs/ceph/super.h", "include/linux/ceph/ceph_fs.h"], "versions": [{"version": "07640d34a781bb2e39020a39137073c03c4aa932", "lessThan": "c6f8326f26bd20d648d9a55afd68148d1b6afe28", "status": "affected", "versionType": "git"}, {"version": "22c73d52a6d05c5a2053385c0d6cd9984732799d", "lessThan": "57b36ffc8881dd455d875f85c105901974af2130", "status": "affected", "versionType": "git"}, {"version": "22c73d52a6d05c5a2053385c0d6cd9984732799d", "lessThan": "7987cce375ac8ce98e170a77aa2399f2cf6eb99f", "status": "affected", "versionType": "git"}, {"version": "ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ceph/mds_client.c", "fs/ceph/mdsmap.c", "fs/ceph/mdsmap.h", "fs/ceph/super.h", "include/linux/ceph/ceph_fs.h"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.58", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c6f8326f26bd20d648d9a55afd68148d1b6afe28"}, {"url": "https://git.kernel.org/stable/c/57b36ffc8881dd455d875f85c105901974af2130"}, {"url": "https://git.kernel.org/stable/c/7987cce375ac8ce98e170a77aa2399f2cf6eb99f"}], "title": "ceph: fix NULL pointer dereference in ceph_mds_auth_match()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACE64C6D-2601-447E-8A2B-0D932A7C5C60", "versionEndExcluding": "6.12.70", "versionStartIncluding": "6.12.58", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B6161FA-39A8-4DBD-9D3F-130200A2D241", "versionEndExcluding": "6.18.10", "versionStartIncluding": "6.17.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix NULL pointer dereference in ceph_mds_auth_match()\n\nThe CephFS kernel client has regression starting from 6.18-rc1.\nWe have issue in ceph_mds_auth_match() if fs_name == NULL:\n\n const char fs_name = mdsc->fsc->mount_options->mds_namespace;\n ...\n if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {\n / fsname mismatch, try next one */\n return 0;\n }\n\nPatrick Donnelly suggested that: In summary, we should definitely start\ndecoding `fs_name` from the MDSMap and do strict authorizations checks\nagainst it. Note that the `-o mds_namespace=foo` should only be used for\nselecting the file system to mount and nothing else. It's possible\nno mds_namespace is specified but the kernel will mount the only\nfile system that exists which may have name \"foo\".\n\nThis patch reworks ceph_mdsmap_decode() and namespace_equals() with\nthe goal of supporting the suggested concept. Now struct ceph_mdsmap\ncontains m_fs_name field that receives copy of extracted FS name\nby ceph_extract_encoded_string(). For the case of \"old\" CephFS file\nsystems, it is used \"cephfs\" name.\n\n[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),\n get rid of a series of strlen() calls in ceph_namespace_match(),\n drop changes to namespace_equals() body to avoid treating empty\n mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap()\n as namespace_equals() isn't an equivalent substitution there ]"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nceph: soluciona la desreferencia de puntero NULL en ceph_mds_auth_match()\n\nEl cliente del kernel de CephFS tiene una regresi\u00f3n a partir de 6.18-rc1.\nTenemos un problema en ceph_mds_auth_match() si fs_name == NULL:\n\n const char fs_name = mdsc->fsc->mount_options->mds_namespace;\n ...\n if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {\n / el nombre de sistema de archivos no coincide, intentar el siguiente */\n return 0;\n }\n\nPatrick Donnelly sugiri\u00f3 que: En resumen, definitivamente deber\u00edamos empezar a decodificar 'fs_name' del MDSMap y realizar controles de autorizaci\u00f3n estrictos contra \u00e9l. Tenga en cuenta que '-o mds_namespace=foo' solo debe usarse para seleccionar el sistema de archivos a montar y nada m\u00e1s. Es posible que no se especifique ning\u00fan mds_namespace, pero el kernel montar\u00e1 el \u00fanico sistema de archivos que existe, el cual puede tener el nombre 'foo'.\n\nEste parche reelabora ceph_mdsmap_decode() y namespace_equals() con el objetivo de apoyar el concepto sugerido. Ahora la estructura ceph_mdsmap contiene el campo m_fs_name que recibe una copia del nombre de FS extra\u00eddo por ceph_extract_encoded_string(). Para el caso de sistemas de archivos CephFS 'antiguos', se utiliza el nombre 'cephfs'.\n\n[ idryomov: reemplazar el redundante %*pE con %s en ceph_mdsmap_decode(), eliminar una serie de llamadas a strlen() en ceph_namespace_match(), descartar cambios en el cuerpo de namespace_equals() para evitar tratar un mds_namespace vac\u00edo como igual, descartar cambios en ceph_mdsc_handle_fsmap() ya que namespace_equals() no es una sustituci\u00f3n equivalente all\u00ed ]"}], "id": "CVE-2026-23189", "lastModified": "2026-03-18T17:18:58.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T17:15:56.703", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/57b36ffc8881dd455d875f85c105901974af2130"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7987cce375ac8ce98e170a77aa2399f2cf6eb99f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c6f8326f26bd20d648d9a55afd68148d1b6afe28"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ceph: fix NULL pointer dereference in ceph_mds_auth_match()", "id": "2439888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439888"}, "csaw": false, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nceph: fix NULL pointer dereference in ceph_mds_auth_match()\nThe CephFS kernel client has regression starting from 6.18-rc1.\nWe have issue in ceph_mds_auth_match() if fs_name == NULL:\nconst char fs_name = mdsc->fsc->mount_options->mds_namespace;\n...\nif (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {\n/ fsname mismatch, try next one */\nreturn 0;\n}\nPatrick Donnelly suggested that: In summary, we should definitely start\ndecoding `fs_name` from the MDSMap and do strict authorizations checks\nagainst it. Note that the `-o mds_namespace=foo` should only be used for\nselecting the file system to mount and nothing else. It's possible\nno mds_namespace is specified but the kernel will mount the only\nfile system that exists which may have name \"foo\".\nThis patch reworks ceph_mdsmap_decode() and namespace_equals() with\nthe goal of supporting the suggested concept. Now struct ceph_mdsmap\ncontains m_fs_name field that receives copy of extracted FS name\nby ceph_extract_encoded_string(). For the case of \"old\" CephFS file\nsystems, it is used \"cephfs\" name.\n[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),\nget rid of a series of strlen() calls in ceph_namespace_match(),\ndrop changes to namespace_equals() body to avoid treating empty\nmds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap()\nas namespace_equals() isn't an equivalent substitution there ]"], "name": "CVE-2026-23189", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23189\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23189\nhttps://lore.kernel.org/linux-cve-announce/2026021432-CVE-2026-23189-3d9f@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[07640d34a781bb2e39020a39137073c03c4aa932,c6f8326f26bd20d648d9a55afd68148d1b6afe28)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[22c73d52a6d05c5a2053385c0d6cd9984732799d,57b36ffc8881dd455d875f85c105901974af2130)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[22c73d52a6d05c5a2053385c0d6cd9984732799d,7987cce375ac8ce98e170a77aa2399f2cf6eb99f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.70,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.10,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-17T19:25:50.542014+00:00", "value": {"mitigation_remediation": ["Apply a kernel version that includes the CephFS patch (6.18\u2011rc1 onward), or backport the fix to the current kernel.", "Reboot the system after updating to ensure the kernel change takes effect.", "If an update cannot be performed immediately, avoid mounting CephFS or restrict access to CephF clients until the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via kernel crash"}, "threat_synthesis": {"affected_systems": "Affected servers run the Linux kernel, specifically versions 6.18 and later, including the 6.19 release candidates through rc8. The regression was introduced starting at 6.18\u2011rc1 and continues through each subsequent release until the patch is applied.", "description_and_impact": "The vulnerability is a NULL pointer dereference in the CephFS kernel client, triggered when the authentication match function receives a NULL filesystem name. This causes an unintended kernel crash that results in a system reboot, disrupting availability. The weakness corresponds to CWE\u2011476.", "risk_and_exploitability": "The CVSS score is 5.5, indicating medium severity, and the EPSS score is below 1\u202f%, suggesting a low probability of exploitation at present. The vulnerability is not listed in CISA's KEV catalog. The most likely attack vector involves a local or remote user interacting with the CephFS module \u2013 for example, mounting a Ceph filesystem with an improperly specified namespace \u2013 which can trigger the code path leading to the crash."}}}}, "created": "2026-02-16T09:43:45.757984+00:00", "updated": "2026-04-17T19:30:15.644290+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}