Description
In the Linux kernel, the following vulnerability has been resolved:

libceph: Use u32 for non-negative values in ceph_monmap_decode()

This patch fixes unnecessary implicit conversions that change signedness
of blob_len and num_mon in ceph_monmap_decode().
Currently blob_len and num_mon are (signed) int variables. They are used
to hold values that are always non-negative and get assigned in
ceph_decode_32_safe(), which is meant to assign u32 values. Both
variables are subsequently used as unsigned values, and the value of
num_mon is further assigned to monmap->num_mon, which is of type u32.
Therefore, both variables should be of type u32. This is especially
relevant for num_mon. If the value read from the incoming message is
very large, it is interpreted as a negative value, and the check for
num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to
allocate a very large chunk of memory for monmap, which will most likely
fail. In this case, an unnecessary attempt to allocate memory is
performed, and -ENOMEM is returned instead of -EINVAL.
Published: 2026-05-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a sign‑to‑unsigned conversion flaw (CWE‑681) in ceph_monmap_decode() where signed int variables blob_len and num_mon are used to store non‑negative values that are decoded from a Ceph monitor map. An excessively large unsigned value can be interpreted as a negative signed integer, so the subsequent check against CEPH_MAX_MON is bypassed. When this value is later cast to an unsigned u32 for memory allocation, the kernel attempts to allocate an enormous block of memory, which typically fails and returns –ENOMEM. This may result in an unexpected error response from ceph_monmap_decode() and could disrupt normal operation of the Ceph monitor service.

Affected Systems

The flaw affects all Linux kernel releases that contain the libceph component with the original ceph_monmap_decode() implementation. Versions patched to declare blob_len and num_mon as u32 are not vulnerable. The entire range of pre‑patch kernels is therefore at risk.

Risk and Exploitability

Based on the description, the likely attack vector involves an attacker supplying a crafted Ceph monitor map with an oversized num_mon value to a node running the affected kernel. The CVSS score of 7.5 indicates high severity. The EPSS score of < 1 % represents a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. If exploited, the kernel may attempt to allocate an abnormally large block of memory and subsequently fail, leading to an error condition that could disrupt Ceph services or affect stability.

Generated by OpenCVE AI on May 21, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that declares blob_len and num_mon as u32.
  • If an upgrade is not immediately possible, validate Ceph monitor maps before processing, rejecting any map where num_mon exceeds CEPH_MAX_MON.
  • Restrict memory usage for Ceph processes using cgroups or kernel limits to mitigate the impact of large allocation attempts.
  • Monitor kernel logs for repeated –ENOMEM errors, which may indicate attempted exploitation.

Generated by OpenCVE AI on May 21, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*

Mon, 11 May 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Sat, 09 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-680

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-681
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-680

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: libceph: Use u32 for non-negative values in ceph_monmap_decode() This patch fixes unnecessary implicit conversions that change signedness of blob_len and num_mon in ceph_monmap_decode(). Currently blob_len and num_mon are (signed) int variables. They are used to hold values that are always non-negative and get assigned in ceph_decode_32_safe(), which is meant to assign u32 values. Both variables are subsequently used as unsigned values, and the value of num_mon is further assigned to monmap->num_mon, which is of type u32. Therefore, both variables should be of type u32. This is especially relevant for num_mon. If the value read from the incoming message is very large, it is interpreted as a negative value, and the check for num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to allocate a very large chunk of memory for monmap, which will most likely fail. In this case, an unnecessary attempt to allocate memory is performed, and -ENOMEM is returned instead of -EINVAL.
Title libceph: Use u32 for non-negative values in ceph_monmap_decode()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:23:56.777Z

Reserved: 2026-05-01T14:12:56.007Z

Link: CVE-2026-43405

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:52.013

Modified: 2026-05-21T19:16:09.970

Link: CVE-2026-43405

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43405 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T21:00:16Z

Weaknesses