CVE Catalog

CVE-2026-52955

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

29th percentile — higher than 29% of all known CVEs

Summary

In the Linux kernel, a vulnerability in the crush_decode() function of the libceph library allows out-of-bounds memory access. The issue occurs when two fields specifying the bucket algorithm in a CRUSH map differ, leading to incorrect memory allocation and potential buffer overflow.

Risk Assessment

An attacker can remotely send a crafted OSD map, causing a system crash (DoS) or potentially gaining unauthorized access to kernel memory, threatening system confidentiality and integrity.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit adding validation of alg and b->alg fields). Before updating, restrict trusted OSD map sources in Ceph configuration.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in crush_decode() A message of type CEPH_MSG_OSD_MAP containing a crush map with at least one bucket has two fields holding the bucket algorithm. If the values in these two fields differ, an out-of-bounds access can occur. This is the case because the first algorithm field (alg) is used to allocate the correct amount of memory for a bucket of this type, while the second algorithm field inside the bucket (b->alg) is used in the subsequent processing. This patch fixes the issue by adding a check that compares alg and b->alg and aborts the processing in case they differ. Furthermore, b->alg is set to 0 in this case, because the destruction of the crush map also uses this field to determine the bucket type, which can again result in an out-of-bounds access when trying to free the memory pointed to by the fields of the bucket. To correctly free the memory allocated for the bucket in such a case, the corresponding call to kfree is moved from the algorithm-specific crush_destroy_bucket functions to the generic crush_destroy_bucket().

Vulnerability data from NVD (NIST) · CISA KEV · EPSS