CVE-2026-23136
Published: 14 February 2026
Summary
CVE-2026-23136 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-23136 is a vulnerability in the Linux kernel's libceph module, which handles Ceph distributed storage interactions. The issue arises in the osd_fault() function during fault recovery: when a connection is lost mid-payload or the sparse-read state machine errors out, the sparse-read state is not reset. This causes the OSD client to misinterpret the start of a new reply as a continuation of the previous one, potentially driving the sparse-read machinery into a permanent failure state and producing infinite error loops, such as repeated mismatches between data lengths and extent lengths followed by socket read errors.
A remote network attacker with no privileges or user interaction can exploit this vulnerability with low complexity, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Exploitation involves triggering a connection fault during a sparse-read operation, causing the affected system to enter non-recoverable loops that consume resources and deny availability of Ceph OSD client functionality.
The provided kernel stable commit references detail the fix: patches to osd_fault() explicitly reset the sparse-read state upon faults, ensuring pending operations retry from a clean state and preventing the observed loops. Systems should apply these upstream patches from the linked git commits to mitigate the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5901
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: libceph: reset sparse-read state in osd_fault() When a fault occurs, the connection is abandoned, reestablished, and any pending operations are retried. The OSD client tracks the progress of a sparse-read…
more
reply using a separate state machine, largely independent of the messenger's state. If a connection is lost mid-payload or the sparse-read state machine returns an error, the sparse-read state is not reset. The OSD client will then interpret the beginning of a new reply as the continuation of the old one. If this makes the sparse-read machinery enter a failure state, it may never recover, producing loops like: libceph: [0] got 0 extents libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on read libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on read Therefore, reset the sparse-read state in osd_fault(), ensuring retries start from a clean state.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in libceph sparse-read fault handling directly enables remote exploitation to trigger resource-consuming infinite loops, matching application/system exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the libceph kernel flaw by applying upstream patches that reset sparse-read state in osd_fault(), directly preventing exploitation and error loops.
Ensures the system handles connection faults and sparse-read errors securely without entering unrecoverable failure states that deny Ceph OSD client availability.
Protects against the remote denial-of-service attack triggered by connection faults during sparse-read operations, limiting resource exhaustion from infinite error loops.