CVE Catalog

CVE-2026-52957

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.53%

41th percentile — higher than 41% of all known CVEs

Summary

In the Linux kernel's libceph library, a null pointer dereference vulnerability was found during decoding of choose_args in the CRUSH map. The issue occurs when a crafted CEPH_MSG_OSD_MAP message contains a corrupted CRUSH map with a bucket index pointing to a NULL entry, potentially causing a system crash.

Risk Assessment

An attacker can send a specially crafted Ceph message causing a null pointer dereference in the kernel, leading to a kernel panic and denial of service (DoS). Systems using Ceph are affected.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit that extends the bucket index check in decode_choose_args()). Prior to updating, restrict trusted sources of Ceph messages.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential null-ptr-deref in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an array of max_buckets CRUSH buckets is decoded, where some indices may not refer to actual buckets and are therefore set to NULL. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). When decoding a crush_choose_arg_map, a series of choose_args for different buckets is decoded, with the bucket_index being read from the incoming message. It is only checked that the bucket index does not exceed max_buckets, but not that it doesn't point to an index with a NULL bucket. If a (potentially corrupted) message contains a crush_choose_arg_map including such a bucket_index, a null pointer dereference may occur in the subsequent processing when attempting to access the bucket with the given index. This patch fixes the issue by extending the affected check. Now, it is only attempted to access the bucket if it is not NULL.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS