Description
In the Linux kernel, the following vulnerability has been resolved:

libceph: handle rbtree insertion error in decode_choose_args()

A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
contains a CRUSH map. The received CRUSH map may optionally contain
choose_args that get decoded in decode_choose_args(). In this function,
num_choose_arg_maps is read from the message, and a corresponding number
of crush_choose_arg_maps gets decoded afterwards. Each
crush_choose_arg_map has a choose_args_index, which serves as the key
when inserting it into the choose_args rbtree of the decoded crush_map.
If a (potentially corrupted) message contains two crush_choose_arg_maps
with the same index, the assertion in insert_choose_arg_map() triggers a
kernel BUG when trying to insert the second crush_choose_arg_map.

This patch fixes the issue by switching to the non-asserting rbtree
insertion function and rejecting the message if the insertion fails.

[ idryomov: changelog ]
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the Linux kernel’s libceph module. A malicious or compromised CEPH OSD_MAP message can contain duplicate CRUSH choose‑args indices. When the libceph decode_choose_args() routine attempts to insert a second entry with the same key, an assertion inside insert_choose_arg_map() fires a BUG, causing a kernel panic. This results in a sudden crash of the affected system and a loss of availability, but does not provide an attacker with remote code execution or other privileges. The weakness can be classified under CWE‑617 for unchecked return values during data structure insertion.

Affected Systems

All Linux kernels that compile the libceph code and are used in Ceph storage clusters are potentially affected, regardless of version, until the patch that replaces the asserting rbtree insertion with a non‑asserting variant is applied. The affectation applies to any distribution that ships the upstream kernel without backporting this fix, including bare‑metal or container hosts running Ceph clients or servers.

Risk and Exploitability

The CVSS score of 7.5 reflects a high severity denial‑of‑service impact. The EPSS score of < 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely involve sending a crafted CEPH OSD_MAP packet across the network to a node that accepts Ceph traffic, which may be over an untrusted or partially trusted environment. As such, the risk remains moderate, and applying the vendor patch is strongly recommended.

Generated by OpenCVE AI on June 28, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that replaces the asserting rbtree insertion with the non‑asserting version and rejects duplicate choose‑arg entries. This is the definitive fix.
  • If the update is not yet available from your distribution, rebuild the kernel with the upstream patch or use a more recent kernel release that contains the fix.
  • In the interim, isolate or block Ceph OSD_MAP traffic from untrusted networks using firewall rules or network segmentation to reduce the chance of receiving malicious CEPH messages.

Generated by OpenCVE AI on June 28, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-690

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-617
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-690

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: libceph: handle rbtree insertion error in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). In this function, num_choose_arg_maps is read from the message, and a corresponding number of crush_choose_arg_maps gets decoded afterwards. Each crush_choose_arg_map has a choose_args_index, which serves as the key when inserting it into the choose_args rbtree of the decoded crush_map. If a (potentially corrupted) message contains two crush_choose_arg_maps with the same index, the assertion in insert_choose_arg_map() triggers a kernel BUG when trying to insert the second crush_choose_arg_map. This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails. [ idryomov: changelog ]
Title libceph: handle rbtree insertion error in decode_choose_args()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-29T04:18:41.413Z

Reserved: 2026-06-09T07:44:35.372Z

Link: CVE-2026-52954

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52954 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses