{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23189","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.985Z","datePublished":"2026-02-14T16:27:17.549Z","dateUpdated":"2026-05-11T22:02:02.973Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:02:02.973Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix NULL pointer dereference in ceph_mds_auth_match()\n\nThe CephFS kernel client has regression starting from 6.18-rc1.\nWe have issue in ceph_mds_auth_match() if fs_name == NULL:\n\n    const char fs_name = mdsc->fsc->mount_options->mds_namespace;\n    ...\n    if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {\n            / fsname mismatch, try next one */\n            return 0;\n    }\n\nPatrick Donnelly suggested that: In summary, we should definitely start\ndecoding `fs_name` from the MDSMap and do strict authorizations checks\nagainst it. Note that the `-o mds_namespace=foo` should only be used for\nselecting the file system to mount and nothing else. It's possible\nno mds_namespace is specified but the kernel will mount the only\nfile system that exists which may have name \"foo\".\n\nThis patch reworks ceph_mdsmap_decode() and namespace_equals() with\nthe goal of supporting the suggested concept. Now struct ceph_mdsmap\ncontains m_fs_name field that receives copy of extracted FS name\nby ceph_extract_encoded_string(). For the case of \"old\" CephFS file\nsystems, it is used \"cephfs\" name.\n\n[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),\n  get rid of a series of strlen() calls in ceph_namespace_match(),\n  drop changes to namespace_equals() body to avoid treating empty\n  mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap()\n  as namespace_equals() isn't an equivalent substitution there ]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ceph/mds_client.c","fs/ceph/mdsmap.c","fs/ceph/mdsmap.h","fs/ceph/super.h","include/linux/ceph/ceph_fs.h"],"versions":[{"version":"07640d34a781bb2e39020a39137073c03c4aa932","lessThan":"c6f8326f26bd20d648d9a55afd68148d1b6afe28","status":"affected","versionType":"git"},{"version":"22c73d52a6d05c5a2053385c0d6cd9984732799d","lessThan":"57b36ffc8881dd455d875f85c105901974af2130","status":"affected","versionType":"git"},{"version":"22c73d52a6d05c5a2053385c0d6cd9984732799d","lessThan":"7987cce375ac8ce98e170a77aa2399f2cf6eb99f","status":"affected","versionType":"git"},{"version":"ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ceph/mds_client.c","fs/ceph/mdsmap.c","fs/ceph/mdsmap.h","fs/ceph/super.h","include/linux/ceph/ceph_fs.h"],"versions":[{"version":"6.18","status":"affected"},{"version":"0","lessThan":"6.18","status":"unaffected","versionType":"semver"},{"version":"6.12.70","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.10","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.58","versionEndExcluding":"6.12.70"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.18.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c6f8326f26bd20d648d9a55afd68148d1b6afe28"},{"url":"https://git.kernel.org/stable/c/57b36ffc8881dd455d875f85c105901974af2130"},{"url":"https://git.kernel.org/stable/c/7987cce375ac8ce98e170a77aa2399f2cf6eb99f"}],"title":"ceph: fix NULL pointer dereference in ceph_mds_auth_match()","x_generator":{"engine":"bippy-1.2.0"}}}}