{"id":"CVE-2026-22991","summary":"libceph: make free_choose_arg_map() resilient to partial allocation","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make free_choose_arg_map() resilient to partial allocation\n\nfree_choose_arg_map() may dereference a NULL pointer if its caller fails\nafter a partial allocation.\n\nFor example, in decode_choose_args(), if allocation of arg_map-\u003eargs\nfails, execution jumps to the fail label and free_choose_arg_map() is\ncalled. Since arg_map-\u003esize is updated to a non-zero value before memory\nallocation, free_choose_arg_map() will iterate over arg_map-\u003eargs and\ndereference a NULL pointer.\n\nTo prevent this potential NULL pointer dereference and make\nfree_choose_arg_map() more resilient, add checks for pointers before\niterating.","modified":"2026-04-28T04:11:45.726378Z","published":"2026-01-23T15:24:12.191Z","related":["SUSE-SU-2026:0447-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:1078-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20287-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22991.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22991.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22991"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5cf9c4a9959b6273675310d14a834ef14fbca37c"},{"fixed":"9b3730dabcf3764bfe3ff07caf55e641a0b45234"},{"fixed":"851241d3f78a5505224dc21c03d8692f530256b4"},{"fixed":"ec1850f663da64842614c86b20fe734be070c2ba"},{"fixed":"8081faaf089db5280c3be820948469f7c58ef8dd"},{"fixed":"c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf"},{"fixed":"f21c3fdb96833aac2f533506899fe38c19cf49d5"},{"fixed":"e3fe30e57649c551757a02e1cad073c47e1e075e"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22991.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}