From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C0D03EF0DF for ; Fri, 8 May 2026 14:24:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250259; cv=none; b=a+qAW4q3ywJf2q3HWZErrFfTmRzEyfHIVop+4EVuLIvrsmvvUKmbgV1TCsV7wRNhSzu7DKS1NNsGFzbteMn8DbDaVe3mN8+NlXQ0mxwxU9pMIBt1rK1A4cjoo5dnuDig/9WNM6iGZ3Jl3r6qjSqoQpSrE6rO7j1A8SFSZFi1TYs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250259; c=relaxed/simple; bh=LG5ypGdAJRQknmCkas428zs+aQvj2XA50THG72INIiE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ZmYIMi82bRzL+qDLaSybVS42JokiYJP19tet56wnri4uTrxUjCwW+R6VCp1hkGx6PZOOfJPVhK7L6io0bbKciQebJvDhKGci2/6vO3DxuhNl/435XjVZ/07qvTSXgseVQ4Hf+h7urG6NKfP9+JFcu6NyBcO1KxUFA4FjZcdcxbU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=GHKCVegA; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="GHKCVegA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 33DA5C2BCC9; Fri, 8 May 2026 14:24:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250259; bh=LG5ypGdAJRQknmCkas428zs+aQvj2XA50THG72INIiE=; h=From:To:Cc:Subject:Date:Reply-To:From; b=GHKCVegAUA8kjplcxcoWJ7lbVgKRaQ1CKHNb7ShmQozH/d/XRUJFuElp4gWK51UYd Eq/LZaqKDxab4wGIQ92Ff6BX903/xkzLTrTqAX/9gxb76zHsyp6cbHhlVnLjZK8MhT 0TRsYLQPHUE6PTiCweYToludQX+95Z3qZLw1zn1g= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43406: libceph: prevent potential out-of-bounds reads in process_message_header() Date: Fri, 8 May 2026 16:22:15 +0200 Message-ID: <2026050842-CVE-2026-43406-84a2@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2695; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=92/G/brxgPyIMYCDGto6zwqB6AyhY7BgLgcWz5SFLRI=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P5aZVV+bsvWDevof6eg/L53XXJvX+FKrq61AZMmT0 xtXJz442RHLwiDIxCArpsjyZRvP0f0VhxS9DG1Pw8xhZQIZwsDFKQATqZRgWLC9f/7xILUXYeYX stlkNA7YXZ+kmMewYH6N9YcJkwuNr7Y/XfZCats93ZWfTwMA X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header(). Perform an explicit bounds check before decoding the message header. The Linux kernel CVE team has assigned CVE-2026-43406 to this issue. Affected and fixed versions =========================== Fixed in 5.15.203 with commit 76ccf21a12c5f6d6790bc32c7da82446d877b2f4 Fixed in 6.1.167 with commit 75582aaa580c11aed4c7731cad6b068b700e7efb Fixed in 6.6.130 with commit 50156622eb0888e62541d715a98584480a1bc7cb Fixed in 6.12.78 with commit dbd857a9e1e33ea71eaf3e211877027e533770d1 Fixed in 6.18.19 with commit 69fe5af33fa3806f398d21c081d73c66e5523bc2 Fixed in 6.19.9 with commit 035867ae6f18df0aeedb2a57a5b74091bd4e3fe8 Fixed in 7.0 with commit 69fb5d91bba44ecf7eb80530b85fa4fb028921d5 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43406 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ceph/messenger_v2.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/76ccf21a12c5f6d6790bc32c7da82446d877b2f4 https://git.kernel.org/stable/c/75582aaa580c11aed4c7731cad6b068b700e7efb https://git.kernel.org/stable/c/50156622eb0888e62541d715a98584480a1bc7cb https://git.kernel.org/stable/c/dbd857a9e1e33ea71eaf3e211877027e533770d1 https://git.kernel.org/stable/c/69fe5af33fa3806f398d21c081d73c66e5523bc2 https://git.kernel.org/stable/c/035867ae6f18df0aeedb2a57a5b74091bd4e3fe8 https://git.kernel.org/stable/c/69fb5d91bba44ecf7eb80530b85fa4fb028921d5