Security Vulnerability Report
中文
CVE-2026-22991 CVSS 7.5 HIGH

CVE-2026-22991

Published: 2026-01-23 16:15:55
Last Modified: 2026-04-27 14:16:28
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux kernel libceph (未修补版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <stdlib.h> #include <string.h> /* PoC concept for CVE-2026-22991 NULL pointer dereference * This demonstrates the vulnerability in libceph's free_choose_arg_map() * * The vulnerability occurs when: * 1. arg_map->size is set to non-zero value * 2. arg_map->args allocation fails (returns NULL) * 3. free_choose_arg_map() is called with non-zero size but NULL args * 4. The function iterates over args and dereferences NULL pointer */ struct choose_arg_map { size_t size; void **args; // NULL when allocation fails }; void free_choose_arg_map_vulnerable(struct choose_arg_map *arg_map) { // Vulnerable: iterates without checking if args is NULL for (size_t i = 0; i < arg_map->size; i++) { free(arg_map->args[i]); // NULL pointer dereference here } free(arg_map->args); free(arg_map); } void free_choose_arg_map_fixed(struct choose_arg_map *arg_map) { // Fixed: check args before iterating if (arg_map->args != NULL) { for (size_t i = 0; i < arg_map->size; i++) { free(arg_map->args[i]); } free(arg_map->args); } free(arg_map); } int trigger_vulnerability(void) { struct choose_arg_map *arg_map = malloc(sizeof(struct choose_arg_map)); if (!arg_map) return -1; // Simulate partial allocation failure scenario arg_map->size = 10; // Set size before allocation arg_map->args = NULL; // Allocation would fail here in real scenario // This will trigger NULL pointer dereference free_choose_arg_map_vulnerable(arg_map); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22991", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T16:15:55.183", "lastModified": "2026-04-27T14:16:28.150", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make free_choose_arg_map() resilient to partial allocation\n\nfree_choose_arg_map() may dereference a NULL pointer if its caller fails\nafter a partial allocation.\n\nFor example, in decode_choose_args(), if allocation of arg_map->args\nfails, execution jumps to the fail label and free_choose_arg_map() is\ncalled. Since arg_map->size is updated to a non-zero value before memory\nallocation, free_choose_arg_map() will iterate over arg_map->args and\ndereference a NULL pointer.\n\nTo prevent this potential NULL pointer dereference and make\nfree_choose_arg_map() more resilient, add checks for pointers before\niterating."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nlibceph: hacer free_choose_arg_map() resistente a la asignación parcial\n\nfree_choose_arg_map() puede desreferenciar un puntero NULL si su llamador falla después de una asignación parcial.\n\nPor ejemplo, en decode_choose_args(), si la asignación de arg_map-&gt;args falla, la ejecución salta a la etiqueta fail y se llama a free_choose_arg_map(). Dado que arg_map-&gt;size se actualiza a un valor distinto de cero antes de la asignación de memoria, free_choose_arg_map() iterará sobre arg_map-&gt;args y desreferenciará un puntero NULL.\n\nPara evitar esta potencial desreferencia de puntero NULL y hacer free_choose_arg_map() más resistente, añadir comprobaciones para los punteros antes de iterar."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "5.10.248", "matchCriteriaId": "14DEF845-E647-4A78-9311-A8F1A59E3A66"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.198", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.161", "matchCriteriaId": "E135B7E2-61FC-4DC1-8570-ABD67894FFDE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.121", "matchCriteriaId": "BB7A164B-7422-4A1C-82FB-5FCAEE53C06C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.66", "matchCriteriaId": "F72B884C-B44F-40E4-9895-CE421AC663D0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.6", "matchCriteriaId": "879529BC-5B4C-4EBE-BF1D-1A31404A8B2E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/851241d3f78a5505224 ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.