CVE Catalog

CVE-2026-52954

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.53%

41th percentile — higher than 41% of all known CVEs

Summary

In the Linux kernel's libceph, a vulnerability was found due to missing error handling in the rbtree insertion within decode_choose_args(). A malicious or corrupted CEPH_MSG_OSD_MAP message can contain two choose_args entries with the same index, triggering an assertion and causing a kernel BUG.

Risk Assessment

An attacker can send a crafted CEPH_MSG_OSD_MAP message, causing a kernel panic and disrupting services relying on Ceph, leading to a denial of service (DoS).

Recommendation

Immediately update the Linux kernel to a version containing the fix, which replaces the assertion with safe rbtree insertion and rejects malformed messages.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: libceph: handle rbtree insertion error in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). In this function, num_choose_arg_maps is read from the message, and a corresponding number of crush_choose_arg_maps gets decoded afterwards. Each crush_choose_arg_map has a choose_args_index, which serves as the key when inserting it into the choose_args rbtree of the decoded crush_map. If a (potentially corrupted) message contains two crush_choose_arg_maps with the same index, the assertion in insert_choose_arg_map() triggers a kernel BUG when trying to insert the second crush_choose_arg_map. This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails. [ idryomov: changelog ]

Vulnerability data from NVD (NIST) · CISA KEV · EPSS