How is CVE-2026-46119 exploited?

Network reachability (required): The attacker must reach the Ceph monitor or auth service over the network; the vulnerable code path is exercised when a crafted CEPH_MSG_AUTH_REPLY packet is received from a network-accessible endpoint. Authentication (not-required): No credentials are needed; the vulnerable parsing occurs before any successful authentication is established, so an unauthenticated network peer can trigger it. Victim interaction (not-required): No user or operator action is required; the kernel processes the incoming auth reply passively without any interactive step. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions beyond network access to the Ceph auth endpoint.

What is the impact of CVE-2026-46119?

Reads and transmits kernel slab memory contents beyond the allocated auth buffer to the attacker, potentially exposing in-memory secrets, keys, or other sensitive kernel data. Can crash the affected kernel or Ceph client process by inducing an out-of-bounds memory access, causing a denial of service for workloads depending on the Ceph storage backend. Any container or pod relying on CephFS or RBD volumes on the affected host becomes unavailable if the kernel panics or the ceph-client crashes. Kernel memory disclosure may expose credentials or session tokens held in adjacent slab allocations, widening the attack surface for follow-on exploitation.

Back to search

CRITICALCVE-2026-46119Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46119: libceph: Fix slab-out-of-bounds access in auth message processing

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A slab-out-of-bounds memory access vulnerability exists in the Linux kernel's libceph subsystem, specifically in the auth message processing path. The flaw is reachable over the network without any authentication, triggered by a crafted or corrupted CEPH_MSG_AUTH_REPLY message carrying a positive value in its result field; this causes the kernel to treat that value as a buffer size and read beyond the allocated front-segment buffer. Successful exploitation leaks kernel memory contents to a remote attacker and can also crash the affected service. A patched-image rebuild at fix version 6.6.140 (and associated commit SHAs) is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46119 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication using upstream feed ingestion, covering both distribution-provided and custom-built images. Any image whose kernel or ceph-client package resolves to an affected version is flagged automatically in registry scans and CI pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 9.1 Critical and surfacing it with that severity weighting inside each customer org's compliance policy engine. Per-environment policy rules can further route the finding to the appropriate team inbox based on workload classification and risk thresholds.

Available

Patch

A patched-image rebuild against the fix version (kernel 6.6.140 or the corresponding upstream commits) is available for environments running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Ceph monitor or auth service over the network; the vulnerable code path is exercised when a crafted CEPH_MSG_AUTH_REPLY packet is received from a network-accessible endpoint.
AuthenticationNot required
No credentials are needed; the vulnerable parsing occurs before any successful authentication is established, so an unauthenticated network peer can trigger it.
Victim interactionNot required
No user or operator action is required; the kernel processes the incoming auth reply passively without any interactive step.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions beyond network access to the Ceph auth endpoint.

Blast Radius

Reads and transmits kernel slab memory contents beyond the allocated auth buffer to the attacker, potentially exposing in-memory secrets, keys, or other sensitive kernel data.
Can crash the affected kernel or Ceph client process by inducing an out-of-bounds memory access, causing a denial of service for workloads depending on the Ceph storage backend.
Any container or pod relying on CephFS or RBD volumes on the affected host becomes unavailable if the kernel panics or the ceph-client crashes.
Kernel memory disclosure may expose credentials or session tokens held in adjacent slab allocations, widening the attack surface for follow-on exploitation.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46119 is active in the scan pipeline and will flag any image whose kernel package falls below the fixed version (6.6.140 or the patched commit SHAs). For customers who opt into auto-remediation, HarborGuard can initiate a patched-image rebuild, execute a regression test run, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Because this vulnerability is reachable without authentication from any host that can send Ceph auth messages, environments that cannot immediately apply the kernel patch should consider isolating Ceph monitor endpoints behind network policy rules that restrict inbound connections to known client CIDRs, and applying egress filtering to prevent memory contents from leaving the cluster. HarborGuard re-evaluates advisory status on every ingest cycle and will surface the rebuild option as soon as a patched base image is available in the upstream feed.

See how HarborGuard automates this

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

Fix available

01c439de70b1c3eb3c6bffa8245c16b9fc318f1142ae0afd98432536562fa8261538ae795446f0589408e85ee708b6aa03eeb0220ffa0915f4d4071816.6.1406.12.886.18.307.0.77.1-rc18517b6c8d2c759918ba0058cb6c7e14d59643202b7df9fbd4869fdfe09a3f501ffd228486521e062

Affected packages

Linux / Linux
< 2ae0afd98432536562fa8261538ae795446f0589 (from 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc) · < 408e85ee708b6aa03eeb0220ffa0915f4d407181 (from 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc) · < b7df9fbd4869fdfe09a3f501ffd228486521e062 (from 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc) · < 8517b6c8d2c759918ba0058cb6c7e14d59643202 (from 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc) · < 1c439de70b1c3eb3c6bffa8245c16b9fc318f114 (from 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc)
Linux / Linux
2.6.34
Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available