CVE-2026-22991

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: make free_choose_arg_map() resilient to partial allocation<br /> <br /> free_choose_arg_map() may dereference a NULL pointer if its caller fails<br /> after a partial allocation.<br /> <br /> For example, in decode_choose_args(), if allocation of arg_map-&gt;args<br /> fails, execution jumps to the fail label and free_choose_arg_map() is<br /> called. Since arg_map-&gt;size is updated to a non-zero value before memory<br /> allocation, free_choose_arg_map() will iterate over arg_map-&gt;args and<br /> dereference a NULL pointer.<br /> <br /> To prevent this potential NULL pointer dereference and make<br /> free_choose_arg_map() more resilient, add checks for pointers before<br /> iterating.