CVE-2026-23136 (GCVE-0-2026-23136)

Vulnerability from cvelistv5 – Published: 2026-02-14 15:22 – Updated: 2026-02-14 15:22
VLAI?
Title
libceph: reset sparse-read state in osd_fault()
Summary
In the Linux kernel, the following vulnerability has been resolved: libceph: reset sparse-read state in osd_fault() When a fault occurs, the connection is abandoned, reestablished, and any pending operations are retried. The OSD client tracks the progress of a sparse-read reply using a separate state machine, largely independent of the messenger's state. If a connection is lost mid-payload or the sparse-read state machine returns an error, the sparse-read state is not reset. The OSD client will then interpret the beginning of a new reply as the continuation of the old one. If this makes the sparse-read machinery enter a failure state, it may never recover, producing loops like: libceph: [0] got 0 extents libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on read libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on read Therefore, reset the sparse-read state in osd_fault(), ensuring retries start from a clean state.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: f628d799972799023d32c2542bb2639eb8c4f84e , < 90a60fe61908afa0eaf7f8fcf1421b9b50e5f7ff (git)
Affected: f628d799972799023d32c2542bb2639eb8c4f84e , < e94075e950a6598e710b9f7dffea5aa388f40313 (git)
Affected: f628d799972799023d32c2542bb2639eb8c4f84e , < 10b7c72810364226f7b27916ea3e2a4f870bc04b (git)
Affected: f628d799972799023d32c2542bb2639eb8c4f84e , < 11194b416ef95012c2cfe5f546d71af07b639e93 (git)
Create a notification for this product.
    Linux Linux Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.6.121 , ≤ 6.6.* (semver)
Unaffected: 6.12.66 , ≤ 6.12.* (semver)
Unaffected: 6.18.6 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/osd_client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "90a60fe61908afa0eaf7f8fcf1421b9b50e5f7ff",
              "status": "affected",
              "version": "f628d799972799023d32c2542bb2639eb8c4f84e",
              "versionType": "git"
            },
            {
              "lessThan": "e94075e950a6598e710b9f7dffea5aa388f40313",
              "status": "affected",
              "version": "f628d799972799023d32c2542bb2639eb8c4f84e",
              "versionType": "git"
            },
            {
              "lessThan": "10b7c72810364226f7b27916ea3e2a4f870bc04b",
              "status": "affected",
              "version": "f628d799972799023d32c2542bb2639eb8c4f84e",
              "versionType": "git"
            },
            {
              "lessThan": "11194b416ef95012c2cfe5f546d71af07b639e93",
              "status": "affected",
              "version": "f628d799972799023d32c2542bb2639eb8c4f84e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/osd_client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.121",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.66",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.6",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: reset sparse-read state in osd_fault()\n\nWhen a fault occurs, the connection is abandoned, reestablished, and any\npending operations are retried. The OSD client tracks the progress of a\nsparse-read reply using a separate state machine, largely independent of\nthe messenger\u0027s state.\n\nIf a connection is lost mid-payload or the sparse-read state machine\nreturns an error, the sparse-read state is not reset. The OSD client\nwill then interpret the beginning of a new reply as the continuation of\nthe old one. If this makes the sparse-read machinery enter a failure\nstate, it may never recover, producing loops like:\n\n  libceph:  [0] got 0 extents\n  libceph: data len 142248331 != extent len 0\n  libceph: osd0 (1)...:6801 socket error on read\n  libceph: data len 142248331 != extent len 0\n  libceph: osd0 (1)...:6801 socket error on read\n\nTherefore, reset the sparse-read state in osd_fault(), ensuring retries\nstart from a clean state."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-14T15:22:21.952Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/90a60fe61908afa0eaf7f8fcf1421b9b50e5f7ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/e94075e950a6598e710b9f7dffea5aa388f40313"
        },
        {
          "url": "https://git.kernel.org/stable/c/10b7c72810364226f7b27916ea3e2a4f870bc04b"
        },
        {
          "url": "https://git.kernel.org/stable/c/11194b416ef95012c2cfe5f546d71af07b639e93"
        }
      ],
      "title": "libceph: reset sparse-read state in osd_fault()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23136",
    "datePublished": "2026-02-14T15:22:21.952Z",
    "dateReserved": "2026-01-13T15:37:45.971Z",
    "dateUpdated": "2026-02-14T15:22:21.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23136\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-14T16:15:53.590\",\"lastModified\":\"2026-02-14T16:15:53.590\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlibceph: reset sparse-read state in osd_fault()\\n\\nWhen a fault occurs, the connection is abandoned, reestablished, and any\\npending operations are retried. The OSD client tracks the progress of a\\nsparse-read reply using a separate state machine, largely independent of\\nthe messenger\u0027s state.\\n\\nIf a connection is lost mid-payload or the sparse-read state machine\\nreturns an error, the sparse-read state is not reset. The OSD client\\nwill then interpret the beginning of a new reply as the continuation of\\nthe old one. If this makes the sparse-read machinery enter a failure\\nstate, it may never recover, producing loops like:\\n\\n  libceph:  [0] got 0 extents\\n  libceph: data len 142248331 != extent len 0\\n  libceph: osd0 (1)...:6801 socket error on read\\n  libceph: data len 142248331 != extent len 0\\n  libceph: osd0 (1)...:6801 socket error on read\\n\\nTherefore, reset the sparse-read state in osd_fault(), ensuring retries\\nstart from a clean state.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/10b7c72810364226f7b27916ea3e2a4f870bc04b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/11194b416ef95012c2cfe5f546d71af07b639e93\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/90a60fe61908afa0eaf7f8fcf1421b9b50e5f7ff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e94075e950a6598e710b9f7dffea5aa388f40313\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.