CVE-2026-22991
Published: 23 January 2026
Summary
CVE-2026-22991 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network-triggered NULL dereference in kernel leads directly to system crash, matching Endpoint DoS via system exploitation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails,…
more
execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating.
Deeper analysisAI
CVE-2026-22991 is a NULL pointer dereference vulnerability in the Linux kernel's libceph component, specifically within the free_choose_arg_map() function. This issue arises when the function is called after a partial allocation failure, such as in decode_choose_args() where allocation of arg_map->args fails, leading to execution jumping to a fail label. At that point, arg_map->size has been updated to a non-zero value, causing free_choose_arg_map() to iterate over and dereference a NULL arg_map->args pointer. The vulnerability is classified under CWE-476 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation results in high-impact denial of service through kernel crash, as indicated by the availability impact in the CVSS score, with no confidentiality or integrity effects.
Mitigation involves applying stable kernel patches that enhance free_choose_arg_map() resilience by adding checks for pointers before iteration. Relevant commits include 8081faaf089db5280c3be820948469f7c58ef8dd, 851241d3f78a5505224dc21c03d8692f530256b4, 9b3730dabcf3764bfe3ff07caf55e641a0b45234, c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf, and e3fe30e57649c551757a02e1cad073c47e1e075e, available via kernel.org stable trees.
Details
- CWE(s)