CVE-2026-52954 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

libceph: handle rbtree insertion error in decode_choose_args()

A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
contains a CRUSH map. The received CRUSH map may optionally contain
choose_args that get decoded in decode_choose_args(). In this function,
num_choose_arg_maps is read from the message, and a corresponding number
of crush_choose_arg_maps gets decoded afterwards. Each
crush_choose_arg_map has a choose_args_index, which serves as the key
when inserting it into the choose_args rbtree of the decoded crush_map.
If a (potentially corrupted) message contains two crush_choose_arg_maps
with the same index, the assertion in insert_choose_arg_map() triggers a
kernel BUG when trying to insert the second crush_choose_arg_map.

This patch fixes the issue by switching to the non-asserting rbtree
insertion function and rejecting the message if the insertion fails.

[ idryomov: changelog ]

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A malformed or malicious CEPH message containing duplicate CRUSH choose‑args indices can trigger an assertion in the kernel’s rbtree insertion logic. When the second duplicate entry is processed, the kernel fires a BUG and panics, causing a system crash. The vulnerability does not provide a path to arbitrary code execution, but it can be used to force a restart of the affected host, disrupting availability of services that rely on a stable kernel.

Affected Systems

The flaw resides in the Linux kernel’s libceph module and affects any Linux system that operates a Ceph storage cluster. No specific kernel release is listed, so all kernels that compile the affected libceph code are potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS score for this issue is not provided, but the potential impact is high due to the kernel panic. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is network‑based, whereby an attacker sends a crafted CEPH OSD map message to a cluster node, triggering the kernel BUG. Because Ceph communication typically occurs over untrusted networks, the risk remains significant until the kernel is updated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< c7bf7864e2924fa5508ac270b0e9364bc13d5a6c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f47430fc1f815e87406e2d3b4e476eff1bc7fd9b
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 534ebc08df97c47d4c7596f336fa31ecbf91519c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 80c73bd1b2b04355d1d0c29be8ccbd25a380905d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 4d2b37abda9536808655830d683dc491d31741a8
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 0a1265a9ab875f92b6a3ffb497404f46cf9d76a3
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d289478cfc0bcf81c7914200d6abdcb78bd04ded
`0`	affected	< 5.10.258
`0`	affected	< 5.15.209
`0`	affected	< 6.1.175
`0`	affected	< 6.6.141
`0`	affected	< 6.12.91
`0`	affected	< 6.18.33
`0`	affected	< 7.0.10

Linux

affected

Version	Status	Constraints
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor's kernel patch that replaces the asserting rbtree insertion with the non‑asserting version and rejects duplicate choose‑arg entries. This is the only definitive fix for the vulnerability.
If the patch has not been released in your distribution’s kernel package, rebuild the kernel with the patch committed by the Linux kernel maintainers or update to a newer kernel release that contains the fix.
Until the patch is available, restrict or filter Ceph OSD_MAP traffic to trusted networks using firewall rules or network segmentation to reduce exposure to crafted CEPH messages.

Generated by OpenCVE AI on June 24, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0a1265a9ab875f92b6a3ffb497404f46cf9d76a3
https://git.kernel.org/stable/c/0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da
https://git.kernel.org/stable/c/4d2b37abda9536808655830d683dc491d31741a8
https://git.kernel.org/stable/c/534ebc08df97c47d4c7596f336fa31ecbf91519c
https://git.kernel.org/stable/c/80c73bd1b2b04355d1d0c29be8ccbd25a380905d
https://git.kernel.org/stable/c/c7bf7864e2924fa5508ac270b0e9364bc13d5a6c
https://git.kernel.org/stable/c/d289478cfc0bcf81c7914200d6abdcb78bd04ded
https://git.kernel.org/stable/c/f47430fc1f815e87406e2d3b4e476eff1bc7fd9b

History

Wed, 24 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-690

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: libceph: handle rbtree insertion error in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). In this function, num_choose_arg_maps is read from the message, and a corresponding number of crush_choose_arg_maps gets decoded afterwards. Each crush_choose_arg_map has a choose_args_index, which serves as the key when inserting it into the choose_args rbtree of the decoded crush_map. If a (potentially corrupted) message contains two crush_choose_arg_maps with the same index, the assertion in insert_choose_arg_map() triggers a kernel BUG when trying to insert the second crush_choose_arg_map. This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails. [ idryomov: changelog ]
Title		libceph: handle rbtree insertion error in decode_choose_args()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0a1265a9ab875f92b6a3ffb497404f46cf9d76a3 https://git.kernel.org/stable/c/0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da https://git.kernel.org/stable/c/4d2b37abda9536808655830d683dc491d31741a8 https://git.kernel.org/stable/c/534ebc08df97c47d4c7596f336fa31ecbf91519c https://git.kernel.org/stable/c/80c73bd1b2b04355d1d0c29be8ccbd25a380905d https://git.kernel.org/stable/c/c7bf7864e2924fa5508ac270b0e9364bc13d5a6c https://git.kernel.org/stable/c/d289478cfc0bcf81c7914200d6abdcb78bd04ded https://git.kernel.org/stable/c/f47430fc1f815e87406e2d3b4e476eff1bc7fd9b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:28:36.992Z

Updated: 2026-06-24T16:28:36.992Z

Reserved: 2026-06-09T07:44:35.372Z

Link: CVE-2026-52954

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:15:15Z

Weaknesses

CWE-20
Improper Input Validation
CWE-690
Unchecked Return Value to NULL Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object