Cyber Resilience

CVE-2026-22992

High

Published: 23 January 2026

Published
23 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 19.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22992 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22992 is a vulnerability in the Linux kernel's libceph component, where mon_handle_auth_done() does not return errors from ceph_auth_handle_reply_done(). Instead, these errors are propagated via finish_auth() but ignored at the higher layer, causing msgr2 to proceed with session establishment despite authentication failures. In secure mode, this triggers a WARN in setup_crypto() and can lead to a NULL pointer dereference in prepare_auth_signature(). The issue is rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-476 (NULL Pointer Dereference).

Remote network attackers require no privileges or user interaction and face low attack complexity to exploit this vulnerability. Exploitation occurs during Ceph monitor authentication, allowing attackers to induce a kernel crash via the NULL pointer dereference, resulting in denial of service with high availability impact.

Kernel stable patches address the issue by ensuring mon_handle_auth_done() returns the handler error properly. Relevant commits include https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d, https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16, https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5, https://git.kernel.org/stable/c/d2c4a5f6996683f287f3851ef5412797042de7f1, and https://git.kernel.org/stable/c/e097cd858196b1914309e7e3d79b4fa79383754d. Security practitioners should update affected Linux kernels to versions incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the…

more

monitor considering us to be successfully authenticated) something went wrong in the authentication phase and reacting accordingly, but msgr2 still trying to proceed with establishing the session in the background. In the case of secure mode this can trigger a WARN in setup_crypto() and later lead to a NULL pointer dereference inside of prepare_auth_signature().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote unauthenticated exploitation of a NULL pointer dereference in Ceph auth handling, directly causing kernel crash and endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22991Same product: Linux Linux Kernel
CVE-2026-31600Same product: Linux Linux Kernel
CVE-2026-22998Same product: Linux Linux Kernel
CVE-2026-23242Same product: Linux Linux Kernel
CVE-2026-31638Same product: Linux Linux Kernel
CVE-2026-31477Same product: Linux Linux Kernel
CVE-2026-31450Same product: Linux Linux Kernel
CVE-2026-23148Same product: Linux Linux Kernel
CVE-2026-31404Same product: Linux Linux Kernel
CVE-2026-23198Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 5.11 — 5.15.198 · 5.16 — 6.1.161 · 6.2 — 6.6.121

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation of the specific flaw in libceph's mon_handle_auth_done() through application of kernel stable patches.

prevent

Addresses the core issue of improper error propagation from ceph_auth_handle_reply_done() by enforcing secure error and exception handling to prevent NULL pointer dereference during failed authentication.

preventdetect

Provides network-level protections against remote denial-of-service exploitation via the authentication flaw that induces kernel crashes through malformed Ceph monitor responses.

References