{ "threat_severity" : "Moderate", "public_date" : "2026-02-14T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Denial of Service in libceph OSD client due to unreset sparse-read state", "id" : "2439852", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2439852" }, "cvss3" : { "cvss3_base_score" : "7.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-440", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nlibceph: reset sparse-read state in osd_fault()\nWhen a fault occurs, the connection is abandoned, reestablished, and any\npending operations are retried. The OSD client tracks the progress of a\nsparse-read reply using a separate state machine, largely independent of\nthe messenger's state.\nIf a connection is lost mid-payload or the sparse-read state machine\nreturns an error, the sparse-read state is not reset. The OSD client\nwill then interpret the beginning of a new reply as the continuation of\nthe old one. If this makes the sparse-read machinery enter a failure\nstate, it may never recover, producing loops like:\nlibceph: [0] got 0 extents\nlibceph: data len 142248331 != extent len 0\nlibceph: osd0 (1)...:6801 socket error on read\nlibceph: data len 142248331 != extent len 0\nlibceph: osd0 (1)...:6801 socket error on read\nTherefore, reset the sparse-read state in osd_fault(), ensuring retries\nstart from a clean state.", "A flaw was found in the Linux kernel's libceph OSD client. When a connection fault occurs during a sparse read, the sparse-read state is not properly reset. This allows a misbehaving or compromised Ceph OSD server, or a network adversary, to disrupt traffic. As a result, the client can misinterpret new data as a continuation of previous data, leading to a persistent failure mode, repeated errors, and continuous retry loops, effectively causing a Denial of Service (DoS) for Ceph clients performing sparse reads." ], "statement" : "A reliability and availability issue exists in the libceph OSD client sparse read handling. The client tracks progress of a sparse read reply using a separate state machine. When a connection fault happens mid payload or when the sparse read state machine returns an error, the connection is abandoned and later reestablished and pending operations are retried. However \nthe sparse read state was not reset on the fault path. As a result the client can misinterpret the beginning of a new reply as a continuation of the previous reply. This can drive the sparse read machinery into a persistent failure mode that may never recover, producing repeated error messages and repeated socket read failures, effectively preventing successful reads and causing continuous retry loops. From a threat perspective the trigger can be a misbehaving or compromised Ceph OSD server, or a network adversary able to disrupt or truncate traffic, causing fault and retry sequences. The primary impact is denial of service for Ceph clients performing sparse reads.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13565", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.54.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19568", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-687.10.1.el9_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13565", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.54.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19568", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-687.10.1.el9_8" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23136\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23136\nhttps://lore.kernel.org/linux-cve-announce/2026021428-CVE-2026-23136-f28c@gregkh/T" ], "name" : "CVE-2026-23136", "csaw" : false }