Description
In the Linux kernel, the following vulnerability has been resolved:

libceph: Use u32 for non-negative values in ceph_monmap_decode()

This patch fixes unnecessary implicit conversions that change signedness
of blob_len and num_mon in ceph_monmap_decode().
Currently blob_len and num_mon are (signed) int variables. They are used
to hold values that are always non-negative and get assigned in
ceph_decode_32_safe(), which is meant to assign u32 values. Both
variables are subsequently used as unsigned values, and the value of
num_mon is further assigned to monmap->num_mon, which is of type u32.
Therefore, both variables should be of type u32. This is especially
relevant for num_mon. If the value read from the incoming message is
very large, it is interpreted as a negative value, and the check for
num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to
allocate a very large chunk of memory for monmap, which will most likely
fail. In this case, an unnecessary attempt to allocate memory is
performed, and -ENOMEM is returned instead of -EINVAL.
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from storing non‑negative values in signed 32‑bit integers during the decoding of Ceph monitor maps. Because blob_len and num_mon are declared as signed integers, an incoming unsigned value that is larger than 2^31–1 is interpreted as a negative number. The code later uses num_mon as an unsigned value when allocating memory for the monitor map, so a very large numeric value can cause the kernel to attempt to allocate an excessively large block of memory. This allocation fails, returning –ENOMEM; if the failure path is not handled correctly, it can trigger a denial‑of service by exhausting kernel resources or causing kernel instability.

Affected Systems

This flaw affects any Linux kernel that includes the libceph component and implements the ceph_monmap_decode() routine. The kernel versions patched to change blob_len and num_mon from signed int to unsigned u32 are no longer vulnerable; ongoing vulnerability applies to all earlier kernel releases that have not applied the patch.

Risk and Exploitability

Based on the description, it is inferred that an attacker must be able to inject a crafted Ceph monitor map that contains an oversized num_mon value into a node running the affected kernel. The CVSS score of 7.0 indicates high severity, but the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, which suggests limited known exploitation. The attack path is straightforward: send a monitor map with a num_mon value exceeding CEPH_MAX_MON to a Ceph client or server, triggering the kernel to attempt a large allocation and possibly fail, leading to a denial‑of‑service condition.

Generated by OpenCVE AI on May 9, 2026 at 04:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel patch that changes blob_len and num_mon to unsigned 32‑bit types, or backport the fix for older kernel versions.
  • If the patch cannot be applied immediately, enforce strict validation of Ceph monitor maps on the ingress side, rejecting any map whose num_mon value exceeds CEPH_MAX_MON before allocation.
  • Configure resource limits or cgroups for Ceph clients and servers to guard against unexpectedly large memory allocation attempts.
  • Monitor kernel memory usage and system responsiveness for signs of frequent –ENOMEM failures that could indicate an attempted exploitation.

Generated by OpenCVE AI on May 9, 2026 at 04:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-680

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-681
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-680

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: libceph: Use u32 for non-negative values in ceph_monmap_decode() This patch fixes unnecessary implicit conversions that change signedness of blob_len and num_mon in ceph_monmap_decode(). Currently blob_len and num_mon are (signed) int variables. They are used to hold values that are always non-negative and get assigned in ceph_decode_32_safe(), which is meant to assign u32 values. Both variables are subsequently used as unsigned values, and the value of num_mon is further assigned to monmap->num_mon, which is of type u32. Therefore, both variables should be of type u32. This is especially relevant for num_mon. If the value read from the incoming message is very large, it is interpreted as a negative value, and the check for num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to allocate a very large chunk of memory for monmap, which will most likely fail. In this case, an unnecessary attempt to allocate memory is performed, and -ENOMEM is returned instead of -EINVAL.
Title libceph: Use u32 for non-negative values in ceph_monmap_decode()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-09T04:10:50.413Z

Reserved: 2026-05-01T14:12:56.007Z

Link: CVE-2026-43405

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:52.013

Modified: 2026-05-08T15:16:52.013

Link: CVE-2026-43405

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43405 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:00:10Z

Weaknesses