CVE-2026-23201 – ceph: fix oops due to invalid pointer for kfree() in parse_longname()

CVE ID : CVE-2026-23201

Published : Feb. 14, 2026, 5:15 p.m. | 1 hour, 14 minutes ago

Description : In the Linux kernel, the following vulnerability has been resolved:

ceph: fix oops due to invalid pointer for kfree() in parse_longname()

This fixes a kernel oops when reading ceph snapshot directories (.snap),
for example by simply running `ls /mnt/my_ceph/.snap`.

The variable str is guarded by __free(kfree), but advanced by one for
skipping the initial ‘_’ in snapshot names. Thus, kfree() is called
with an invalid pointer. This patch removes the need for advancing the
pointer so kfree() is called with correct memory pointer.

Steps to reproduce:

1. Create snapshots on a cephfs volume (I’ve 63 snaps in my testcase)

2. Add cephfs mount to fstab
$ echo “samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0” >> /etc/fstab

3. Reboot the system
$ systemctl reboot

4. Check if it’s really mounted
$ mount | grep stuff

5. List snapshots (expected 63 snapshots on my system)
$ ls /mnt/test/stuff/.snap

Now ls hangs forever and the kernel log shows the oops.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…