{"id":"CVE-2026-23189","summary":"ceph: fix NULL pointer dereference in ceph_mds_auth_match()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix NULL pointer dereference in ceph_mds_auth_match()\n\nThe CephFS kernel client has regression starting from 6.18-rc1.\nWe have issue in ceph_mds_auth_match() if fs_name == NULL:\n\n    const char fs_name = mdsc-\u003efsc-\u003emount_options-\u003emds_namespace;\n    ...\n    if (auth-\u003ematch.fs_name && strcmp(auth-\u003ematch.fs_name, fs_name)) {\n            / fsname mismatch, try next one */\n            return 0;\n    }\n\nPatrick Donnelly suggested that: In summary, we should definitely start\ndecoding `fs_name` from the MDSMap and do strict authorizations checks\nagainst it. Note that the `-o mds_namespace=foo` should only be used for\nselecting the file system to mount and nothing else. It's possible\nno mds_namespace is specified but the kernel will mount the only\nfile system that exists which may have name \"foo\".\n\nThis patch reworks ceph_mdsmap_decode() and namespace_equals() with\nthe goal of supporting the suggested concept. Now struct ceph_mdsmap\ncontains m_fs_name field that receives copy of extracted FS name\nby ceph_extract_encoded_string(). For the case of \"old\" CephFS file\nsystems, it is used \"cephfs\" name.\n\n[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),\n  get rid of a series of strlen() calls in ceph_namespace_match(),\n  drop changes to namespace_equals() body to avoid treating empty\n  mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap()\n  as namespace_equals() isn't an equivalent substitution there ]","modified":"2026-04-28T18:29:30.221477209Z","published":"2026-02-14T16:27:17.549Z","related":["SUSE-SU-2026:20838-1","SUSE-SU-2026:20931-1","SUSE-SU-2026:21284-1","openSUSE-SU-2026:20416-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23189.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/57b36ffc8881dd455d875f85c105901974af2130"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7987cce375ac8ce98e170a77aa2399f2cf6eb99f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c6f8326f26bd20d648d9a55afd68148d1b6afe28"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23189.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23189"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"07640d34a781bb2e39020a39137073c03c4aa932"},{"fixed":"c6f8326f26bd20d648d9a55afd68148d1b6afe28"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"22c73d52a6d05c5a2053385c0d6cd9984732799d"},{"fixed":"57b36ffc8881dd455d875f85c105901974af2130"},{"fixed":"7987cce375ac8ce98e170a77aa2399f2cf6eb99f"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23189.json"}}],"schema_version":"1.7.5"}