{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23201", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.986Z", "datePublished": "2026-02-14T16:27:25.693Z", "dateUpdated": "2026-05-11T22:02:16.799Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:16.799Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix oops due to invalid pointer for kfree() in parse_longname()\n\nThis fixes a kernel oops when reading ceph snapshot directories (.snap),\nfor example by simply running `ls /mnt/my_ceph/.snap`.\n\nThe variable str is guarded by __free(kfree), but advanced by one for\nskipping the initial '_' in snapshot names. Thus, kfree() is called\nwith an invalid pointer. This patch removes the need for advancing the\npointer so kfree() is called with correct memory pointer.\n\nSteps to reproduce:\n\n1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase)\n\n2. Add cephfs mount to fstab\n$ echo \"samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0\" >> /etc/fstab\n\n3. Reboot the system\n$ systemctl reboot\n\n4. Check if it's really mounted\n$ mount | grep stuff\n\n5. List snapshots (expected 63 snapshots on my system)\n$ ls /mnt/test/stuff/.snap\n\nNow ls hangs forever and the kernel log shows the oops."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ceph/crypto.c"], "versions": [{"version": "bb80f7618832d26f7e395f52f82b1dac76223e5f", "lessThan": "8c9af7339de419819cfc641d551675d38ff99abf", "status": "affected", "versionType": "git"}, {"version": "101841c38346f4ca41dc1802c867da990ffb32eb", "lessThan": "e258ed369c9e04caa7d2fd49785d753ae4034cb6", "status": "affected", "versionType": "git"}, {"version": "101841c38346f4ca41dc1802c867da990ffb32eb", "lessThan": "bc8dedae022ce3058659c3addef3ec4b41d15e00", "status": "affected", "versionType": "git"}, {"version": "3145b2b11492d61c512bbc59660bb823bc757f48", "status": "affected", "versionType": "git"}, {"version": "493479af8af3ab907f49e99323777d498a4fbd2b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ceph/crypto.c"], "versions": [{"version": "6.17", "status": "affected"}, {"version": "0", "lessThan": "6.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.42", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8c9af7339de419819cfc641d551675d38ff99abf"}, {"url": "https://git.kernel.org/stable/c/e258ed369c9e04caa7d2fd49785d753ae4034cb6"}, {"url": "https://git.kernel.org/stable/c/bc8dedae022ce3058659c3addef3ec4b41d15e00"}], "title": "ceph: fix oops due to invalid pointer for kfree() in parse_longname()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E35130D-49A4-4F25-AFAF-52726A775239", "versionEndExcluding": "6.12.70", "versionStartIncluding": "6.12.42", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E12C24E-0833-48D3-9A8D-574823A693F0", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "496F2923-911F-4FFD-B9A0-4B9D70EBA1C4", "versionEndExcluding": "6.18.10", "versionStartIncluding": "6.16.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix oops due to invalid pointer for kfree() in parse_longname()\n\nThis fixes a kernel oops when reading ceph snapshot directories (.snap),\nfor example by simply running `ls /mnt/my_ceph/.snap`.\n\nThe variable str is guarded by __free(kfree), but advanced by one for\nskipping the initial '_' in snapshot names. Thus, kfree() is called\nwith an invalid pointer. This patch removes the need for advancing the\npointer so kfree() is called with correct memory pointer.\n\nSteps to reproduce:\n\n1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase)\n\n2. Add cephfs mount to fstab\n$ echo \"samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0\" >> /etc/fstab\n\n3. Reboot the system\n$ systemctl reboot\n\n4. Check if it's really mounted\n$ mount | grep stuff\n\n5. List snapshots (expected 63 snapshots on my system)\n$ ls /mnt/test/stuff/.snap\n\nNow ls hangs forever and the kernel log shows the oops."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nceph: corrige un oops debido a un puntero inv\u00e1lido para kfree() en parse_longname()\n\nEsto corrige un oops del kernel al leer directorios de instant\u00e1neas de ceph (.snap), por ejemplo, simplemente ejecutando 'ls /mnt/my_ceph/.snap'.\n\nLa variable str est\u00e1 protegida por __free(kfree), pero se avanza en uno para saltar el '_' inicial en los nombres de las instant\u00e1neas. Por lo tanto, se llama a kfree() con un puntero inv\u00e1lido. Este parche elimina la necesidad de avanzar el puntero para que se llame a kfree() con el puntero de memoria correcto.\n\nPasos para reproducir:\n\n1. Crea instant\u00e1neas en un volumen cephfs (tengo 63 instant\u00e1neas en mi caso de prueba)\n\n2. A\u00f1ade el montaje cephfs a fstab\n$ echo 'samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0' >> /etc/fstab\n\n3. Reinicia el sistema\n$ systemctl reboot\n\n4. Comprueba si est\u00e1 realmente montado\n$ mount | grep stuff\n\n5. Lista las instant\u00e1neas (se esperan 63 instant\u00e1neas en mi sistema)\n$ ls /mnt/test/stuff/.snap\n\nAhora ls se cuelga indefinidamente y el registro del kernel muestra el oops."}], "id": "CVE-2026-23201", "lastModified": "2026-03-19T16:35:58.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T17:15:57.950", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8c9af7339de419819cfc641d551675d38ff99abf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bc8dedae022ce3058659c3addef3ec4b41d15e00"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e258ed369c9e04caa7d2fd49785d753ae4034cb6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ceph: fix oops due to invalid pointer for kfree() in parse_longname()", "id": "2439939", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439939"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23201", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23201\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23201\nhttps://lore.kernel.org/linux-cve-announce/2026021436-CVE-2026-23201-4530@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bb80f7618832d26f7e395f52f82b1dac76223e5f,8c9af7339de419819cfc641d551675d38ff99abf)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[101841c38346f4ca41dc1802c867da990ffb32eb,e258ed369c9e04caa7d2fd49785d753ae4034cb6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[101841c38346f4ca41dc1802c867da990ffb32eb,bc8dedae022ce3058659c3addef3ec4b41d15e00)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "3145b2b11492d61c512bbc59660bb823bc757f48"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "493479af8af3ab907f49e99323777d498a4fbd2b"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.17"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.17)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.70,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.10,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-17T19:23:29.647008+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that contains the patch committing the safe free operation (e.g., upgrade to 6.19 rc9 or a later stable release).", "If an immediate kernel upgrade is not feasible, manually rebuild the kernel with the patch from the referenced commits applied to resolve the invalid kfree call.", "Until a kernel fix is deployed, avoid commands that list .snap directories or schedule Ceph snapshots on systems that cannot be updated promptly."], "summary": {"action": "Patch", "impact": "Kernel Oops leading to Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected systems are Linux kernel builds that include the unpatched parse_longname() code, notably all 6.19 release candidates from rc1 through rc8 and any subsequent kernel versions until the patch is applied. Any kernel that mounts a Ceph filesystem and enumerates its .snap directories is susceptible. The issue manifests during normal operations such as running 'ls /mnt/<ceph_mount>/.snap' or accessing the snapshot list through a Ceph client.", "description_and_impact": "The vulnerability lies in the Linux kernel\u2019s handling of Ceph snapshot directories. When a user lists a .snap directory, the function parse_longname() advances a pointer past an underscore and then calls kfree() on that advanced pointer. Because the pointer is not the original allocation reference, the kernel attempts to free invalid memory, triggering an oops. The crash effectively brings the kernel to a halt, disrupting all processes and requiring a system reboot. No remote code execution or data exfiltration is possible, but the denial of service can be critical for production environments that rely on CephFS.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a moderate impact, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Attack requires local access to a machine that can mount the affected CephFS and enumerate snapshots, implying a local threat model rather than remote exploitation. The bug results in a kernel crash rather than privilege escalation or data loss, but the denial of service can have significant operational consequences."}}}}, "created": "2026-02-16T09:43:32.036089+00:00", "updated": "2026-04-17T19:30:15.640316+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}