CVE-2026-22991
Published: Jan 23, 2026
Modified: May 11, 2026
CVSS v3.1
7.5
Description
In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 5cf9c4a9959b6273675310d14a834ef14fbca37c - < 9b3730dabcf3764bfe3ff07caf55e641a0b45234affected 5cf9c4a9959b6273675310d14a834ef14fbca37c - < 851241d3f78a5505224dc21c03d8692f530256b4affected 5cf9c4a9959b6273675310d14a834ef14fbca37c - < ec1850f663da64842614c86b20fe734be070c2baaffected 5cf9c4a9959b6273675310d14a834ef14fbca37c - < 8081faaf089db5280c3be820948469f7c58ef8ddaffected 5cf9c4a9959b6273675310d14a834ef14fbca37c - < c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf+2 more versions |
Linux | Linux | affected 4.13unaffected 0 - < 4.13unaffected 5.10.248 - <= 5.10.*unaffected 5.15.198 - <= 5.15.*unaffected 6.1.161 - <= 6.1.*+4 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now