Bug 2439852 (CVE-2026-23136)

Summary: CVE-2026-23136 kernel: Linux kernel: Denial of Service in libceph OSD client due to unreset sparse-read state
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's libceph OSD client. When a connection fault occurs during a sparse read, the sparse-read state is not properly reset. This allows a misbehaving or compromised Ceph OSD server, or a network adversary, to disrupt traffic. As a result, the client can misinterpret new data as a continuation of previous data, leading to a persistent failure mode, repeated errors, and continuous retry loops, effectively causing a Denial of Service (DoS) for Ceph clients performing sparse reads.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-14 16:01:46 UTC
In the Linux kernel, the following vulnerability has been resolved:

libceph: reset sparse-read state in osd_fault()

When a fault occurs, the connection is abandoned, reestablished, and any
pending operations are retried. The OSD client tracks the progress of a
sparse-read reply using a separate state machine, largely independent of
the messenger's state.

If a connection is lost mid-payload or the sparse-read state machine
returns an error, the sparse-read state is not reset. The OSD client
will then interpret the beginning of a new reply as the continuation of
the old one. If this makes the sparse-read machinery enter a failure
state, it may never recover, producing loops like:

  libceph:  [0] got 0 extents
  libceph: data len 142248331 != extent len 0
  libceph: osd0 (1)...:6801 socket error on read
  libceph: data len 142248331 != extent len 0
  libceph: osd0 (1)...:6801 socket error on read

Therefore, reset the sparse-read state in osd_fault(), ensuring retries
start from a clean state.

Comment 4 errata-xmlrpc 2026-05-04 21:20:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:13565 https://access.redhat.com/errata/RHSA-2026:13565

Comment 5 errata-xmlrpc 2026-05-20 12:57:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19568 https://access.redhat.com/errata/RHSA-2026:19568

Comment 7 errata-xmlrpc 2026-06-22 05:04:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:27731 https://access.redhat.com/errata/RHSA-2026:27731

Comment 8 errata-xmlrpc 2026-06-22 05:55:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:27708 https://access.redhat.com/errata/RHSA-2026:27708