CVE-2026-22992

// CVE-2026-22992 PoC - Linux kernel libceph authentication bypass leading to NULL pointer dereference // This PoC demonstrates the vulnerability in mon_handle_auth_done() error handling #include <stdio.h> #include <stdlib.h> #include <string.h> #include <netinet/in.h> // Simulated ceph authentication message structure struct ceph_auth_reply { int protocol; int result; char* payload; int payload_size; }; // Vulnerable function - mon_handle_auth_done() does not return error from ceph_auth_handle_reply_done() int ceph_auth_handle_reply_done(int result) { // Simulating the authentication reply handling that returns error printf("[DEBUG] Processing auth reply, result: %d\n", result); if (result < 0) { printf("[VULN] Authentication error detected but not propagated!\n"); // BUG: Error is not returned, leading to NULL pointer dereference later return 0; // Should return result instead } return 0; } void finish_auth(int error) { printf("[DEBUG] finish_auth called with error: %d\n", error); } // Vulnerable mon_handle_auth_done implementation int mon_handle_auth_done(struct ceph_auth_reply* reply) { int ret; printf("[DEBUG] Entering mon_handle_auth_done()\n"); // Call to ceph_auth_handle_reply_done - error is not returned ret = ceph_auth_handle_reply_done(reply->result); // BUG: The error from ceph_auth_handle_reply_done is not propagated // This causes msgr2 to proceed with session establishment despite auth failure // Simulating msgr2 proceeding with session in background printf("[VULN] msgr2 attempting to establish session despite auth error!\n"); // In secure mode, this triggers WARN in setup_crypto() // followed by NULL pointer dereference in prepare_auth_signature() printf("[VULN] Triggering NULL pointer dereference in prepare_auth_signature()...\n"); // Simulate NULL pointer dereference int* ptr = NULL; *ptr = 0x1337; // Crash here - NULL pointer dereference return 0; } int main(int argc, char* argv[]) { printf("=== CVE-2026-22992 PoC ===\n"); printf("Linux kernel libceph mon_handle_auth_done() error handling vulnerability\n\n"); // Craft malicious authentication reply struct ceph_auth_reply reply; reply.protocol = 2; // MSGR2 protocol reply.result = -1; // Authentication failure reply.payload = NULL; reply.payload_size = 0; printf("[*] Sending malicious auth reply with result=%d\n", reply.result); printf("[*] This should trigger authentication error handling...\n\n"); // Trigger the vulnerable code path mon_handle_auth_done(&reply); return 0; }

{"cve": {"id": "CVE-2026-22992", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T16:15:55.290", "lastModified": "2026-04-27T14:16:28.300", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: return the handler error from mon_handle_auth_done()\n\nCurrently any error from ceph_auth_handle_reply_done() is propagated\nvia finish_auth() but isn't returned from mon_handle_auth_done(). This\nresults in higher layers learning that (despite the monitor considering\nus to be successfully authenticated) something went wrong in the\nauthentication phase and reacting accordingly, but msgr2 still trying\nto proceed with establishing the session in the background. In the\ncase of secure mode this can trigger a WARN in setup_crypto() and later\nlead to a NULL pointer dereference inside of prepare_auth_signature()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nlibceph: devolver el error del manejador de mon_handle_auth_done()\n\nActualmente, cualquier error de ceph_auth_handle_reply_done() se propaga a través de finish_auth() pero no se devuelve de mon_handle_auth_done(). Esto resulta en que las capas superiores aprendan que (a pesar de que el monitor nos considere autenticados con éxito) algo salió mal en la fase de autenticación y reaccionen en consecuencia, pero msgr2 sigue intentando proceder con el establecimiento de la sesión en segundo plano. En el caso del modo seguro, esto puede activar una ADVERTENCIA en setup_crypto() y más tarde conducir a una desreferencia de puntero NULL dentro de prepare_auth_signature()."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.198", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.161", "matchCriteriaId": "E135B7E2-61FC-4DC1-8570-ABD67894FFDE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.121", "matchCriteriaId": "BB7A164B-7422-4A1C-82FB-5FCAEE53C06C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.66", "matchCriteriaId": "F72B884C-B44F-40E4-9895-CE421AC663D0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.6", "matchCriteriaId": "879529BC-5B4C-4EBE-BF1D-1A31404A8B2E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patc ... (truncated)