CVE-2026-43406 - Vulnerability Details

- libceph: prevent potential out-of-bounds reads in process_message_header()

Description

In the Linux kernel, the following vulnerability has been resolved:

libceph: prevent potential out-of-bounds reads in process_message_header()

If the message frame is (maliciously) corrupted in a way that the
length of the control segment ends up being less than the size of the
message header or a different frame is made to look like a message
frame, out-of-bounds reads may ensue in process_message_header().

Perform an explicit bounds check before decoding the message header.

Published: 2026-05-08

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the libceph module of the Linux kernel allows a malicious or corrupted message frame to cause the process_message_header() routine to read beyond the end of a valid message header. This out‑of‑bounds read can expose contents of kernel memory that are not intended to be visible, potentially leading to information disclosure. The defect was fixed by inserting an explicit bounds check before decoding the header.

Affected Systems

Linux kernel releases that include the libceph module and have not incorporated the bounds‑check patch. In particular, development releases such as 7.0:rc1, 7.0:rc2, and 7.0:rc3 are affected if still in use. Systems running older stable kernels that lack this fix remain vulnerable until they are updated.

Risk and Exploitability

The CVSS score of 9.1 marks this vulnerability as critical. The EPSS score of less than 1% indicates a very low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. It is inferred that an attacker would need to send a crafted message frame to a system with an active libceph module, most likely over network traffic to a Ceph service. Successful exploitation would allow an attacker to read kernel memory, but no confirmed remote or local exploitation cases are documented in the provided data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< 76ccf21a12c5f6d6790bc32c7da82446d877b2f4
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< 75582aaa580c11aed4c7731cad6b068b700e7efb
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< 50156622eb0888e62541d715a98584480a1bc7cb
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< dbd857a9e1e33ea71eaf3e211877027e533770d1
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< 69fe5af33fa3806f398d21c081d73c66e5523bc2
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< 035867ae6f18df0aeedb2a57a5b74091bd4e3fe8
`cd1a677cad994021b19665ed476aea63f5d54f31`	affected	< 69fb5d91bba44ecf7eb80530b85fa4fb028921d5

Linux

affected

Version	Status	Constraints
`5.11`	affected	—
`0`	unaffected	< 5.11
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,76ccf21a12c5f6d6790bc32c7da82446d877b2f4)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,75582aaa580c11aed4c7731cad6b068b700e7efb)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,50156622eb0888e62541d715a98584480a1bc7cb)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,dbd857a9e1e33ea71eaf3e211877027e533770d1)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,69fe5af33fa3806f398d21c081d73c66e5523bc2)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,035867ae6f18df0aeedb2a57a5b74091bd4e3fe8)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,69fb5d91bba44ecf7eb80530b85fa4fb028921d5)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the libceph bounds‑check fix.
If Ceph is not required on the system, disable or blacklist the libceph kernel module to remove the vulnerable code path.
Restrict network traffic to Ceph communications using firewalls or network segmentation so that only trusted hosts can interact with the module.

Generated by OpenCVE AI on May 21, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00078.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/035867ae6f18df0aeedb2a57a5b74091bd4e3fe8
https://git.kernel.org/stable/c/50156622eb0888e62541d715a98584480a1bc7cb
https://git.kernel.org/stable/c/69fb5d91bba44ecf7eb80530b85fa4fb028921d5
https://git.kernel.org/stable/c/69fe5af33fa3806f398d21c081d73c66e5523bc2
https://git.kernel.org/stable/c/75582aaa580c11aed4c7731cad6b068b700e7efb
https://git.kernel.org/stable/c/76ccf21a12c5f6d6790bc32c7da82446d877b2f4
https://git.kernel.org/stable/c/dbd857a9e1e33ea71eaf3e211877027e533770d1
https://lore.kernel.org/linux-cve-announce/2026050842-CVE-2026-43406-84a2@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43406
https://www.cve.org/CVERecord?id=CVE-2026-43406

History

Thu, 21 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::

Mon, 11 May 2026 07:45:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}`

Sat, 09 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-125

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-805
References		https://lore.kernel.org/linux-cve-announce/2026050842-CVE-2026-43406-84a2@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43406 https://www.cve.org/CVERecord?id=CVE-2026-43406
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 08 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header(). Perform an explicit bounds check before decoding the message header.
Title		libceph: prevent potential out-of-bounds reads in process_message_header()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/035867ae6f18df0aeedb2a57a5b74091bd4e3fe8 https://git.kernel.org/stable/c/50156622eb0888e62541d715a98584480a1bc7cb https://git.kernel.org/stable/c/69fb5d91bba44ecf7eb80530b85fa4fb028921d5 https://git.kernel.org/stable/c/69fe5af33fa3806f398d21c081d73c66e5523bc2 https://git.kernel.org/stable/c/75582aaa580c11aed4c7731cad6b068b700e7efb https://git.kernel.org/stable/c/76ccf21a12c5f6d6790bc32c7da82446d877b2f4 https://git.kernel.org/stable/c/dbd857a9e1e33ea71eaf3e211877027e533770d1

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:46.246Z

Updated: 2026-05-11T22:23:58.001Z

Reserved: 2026-05-01T14:12:56.007Z

Link: CVE-2026-43406

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-08T15:16:52.137

Modified: 2026-05-21T19:09:31.857

Link: CVE-2026-43406

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43406 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-21T21:00:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object