CVE-2026-43407

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An out-of-bounds access exists in the ceph handle auth reply() function within libceph, triggered by a message of type 'CEPH MSG AUTH REPLY'. The issue occurs because the payload len field is stored as an integer; a value exceeding INT MAX causes an integer overflow, resulting in a negative value. This leads to the pointer address being decremented and subsequently accessed, as the ceph decode need() function only verifies that memory access does not exceed the allocation end address.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.