HOMEVULNERABILITIESCVE-2026-43407
CRITICAL

CVE-2026-43407

Published: May 8, 2026· Updated: May 12, 2026

9.1
CVSS v3.1
EPSS:0.05%probability of exploitation in 30 daysPercentile:16.6th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()

This patch fixes an out-of-bounds access in ceph_handle_auth_reply()

that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In

ceph_handle_auth_reply(), the value of the payload_len field of such a

message is stored in a variable of type int. A value greater than

INT_MAX leads to an integer overflow and is interpreted as a negative

value. This leads to decrementing the pointer address by this value and

subsequently accessing it because ceph_decode_need() only checks that

the memory access does not exceed the end address of the allocation.

This patch fixes the issue by changing the data type of payload_len to

u32. Additionally, the data type of result_msg_len is changed to u32,

as it is also a variable holding a non-negative length.

Also, an additional layer of sanity checks is introduced, ensuring that

directly after reading it from the message, payload_len and

result_msg_len are not greater than the overall segment length.

BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph]

Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262

CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary)

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014

Workqueue: ceph-msgr ceph_con_workfn [libceph]

Call Trace:

<TASK>

dump_stack_lvl+0x76/0xa0

print_report+0xd1/0x620

? __pfx__raw_spin_lock_irqsave+0x10/0x10

? kasan_complete_mode_report_info+0x72/0x210

kasan_report+0xe7/0x130

? ceph_handle_auth_reply+0x642/0x7a0 [libceph]

? ceph_handle_auth_reply+0x642/0x7a0 [libceph]

__asan_report_load_n_noabort+0xf/0x20

ceph_handle_auth_reply+0x642/0x7a0 [libceph]

mon_dispatch+0x973/0x23d0 [libceph]

? apparmor_socket_recvmsg+0x6b/0xa0

? __pfx_mon_dispatch+0x10/0x10 [libceph]

? __kasan_check_write+0x14/0x30i

? mutex_unlock+0x7f/0xd0

? __pfx_mutex_unlock+0x10/0x10

? __pfx_do_recvmsg+0x10/0x10 [libceph]

ceph_con_process_message+0x1f1/0x650 [libceph]

process_message+0x1e/0x450 [libceph]

ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]

? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]

? save_fpregs_to_fpstate+0xb0/0x230

? raw_spin_rq_unlock+0x17/0xa0

? finish_task_switch.isra.0+0x13b/0x760

? __switch_to+0x385/0xda0

? __kasan_check_write+0x14/0x30

? mutex_lock+0x8d/0xe0

? __pfx_mutex_lock+0x10/0x10

ceph_con_workfn+0x248/0x10c0 [libceph]

process_one_work+0x629/0xf80

? __kasan_check_write+0x14/0x30

worker_thread+0x87f/0x1570

? __pfx__raw_spin_lock_irqsave+0x10/0x10

? __pfx_try_to_wake_up+0x10/0x10

? kasan_print_address_stack_frame+0x1f7/0x280

? __pfx_worker_thread+0x10/0x10

kthread+0x396/0x830

? __pfx__raw_spin_lock_irq+0x10/0x10

? __pfx_kthread+0x10/0x10

? __kasan_check_write+0x14/0x30

? recalc_sigpending+0x180/0x210

? __pfx_kthread+0x10/0x10

ret_from_fork+0x3f7/0x610

? __pfx_ret_from_fork+0x10/0x10

? __switch_to+0x385/0xda0

? __pfx_kthread+0x10/0x10

ret_from_fork_asm+0x1a/0x30

</TASK>

[ idryomov: replace if statements with ceph_decode_need() for

payload_len and result_msg_len ]

NVD Source

Technical Analysis

CVE-2026-43407 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), availability disruption (denial of service), with a CVSS base score of 9.1.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Affected Vendors & Products

Mentioned vendors (from description):
LinuxDebian
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-43407
CVSS Score9.1 / 10
SeverityCRITICAL
CISA KEVNo
EPSS (30d)0.05%
PublishedMay 8, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43407 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.