CVE-2026-46119

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: Fix slab-out-of-bounds access in auth message processing<br /> <br /> If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY<br /> contains a positive value in its result field, it is treated as an<br /> error code by ceph_handle_auth_reply() and returned to<br /> handle_auth_reply(). Thereafter, an attempt is made to send the<br /> preallocated message of type CEPH_MSG_AUTH, where the returned value is<br /> interpreted as the size of the front segment to send. If the result<br /> value in the message is greater than the size of the memory buffer<br /> allocated for the front segment, an out-of-bounds access occurs, and<br /> the content of the memory region beyond this buffer is sent out.<br /> <br /> This patch fixes the issue by treating only negative values in the<br /> result field as errors. Positive values are therefore treated as success<br /> in the same way as a zero value. Additionally, a BUG_ON is added to<br /> __send_prepared_auth_request() comparing the len parameter to<br /> front_alloc_len to prevent sending the message if it exceeds the bounds<br /> of the allocation and to make it easier to catch any logic flaws leading<br /> to this.