CVE-2026-52955 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential out-of-bounds access in crush_decode()

A message of type CEPH_MSG_OSD_MAP containing a crush map with at least
one bucket has two fields holding the bucket algorithm. If the values
in these two fields differ, an out-of-bounds access can occur. This is
the case because the first algorithm field (alg) is used to allocate
the correct amount of memory for a bucket of this type, while the second
algorithm field inside the bucket (b->alg) is used in the subsequent
processing.

This patch fixes the issue by adding a check that compares alg and
b->alg and aborts the processing in case they differ. Furthermore,
b->alg is set to 0 in this case, because the destruction of the crush
map also uses this field to determine the bucket type, which can again
result in an out-of-bounds access when trying to free the memory pointed
to by the fields of the bucket. To correctly free the memory allocated
for the bucket in such a case, the corresponding call to kfree is moved
from the algorithm-specific crush_destroy_bucket functions to the
generic crush_destroy_bucket().

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is triggered when a CEPH_MSG_OSD_MAP containing a crush map with mismatched bucket algorithm fields is processed by the kernel. The first algorithm field determines the allocation size for a bucket, while the second field is used during later processing. If these fields differ, an out-of-bounds memory access occurs, leading to possible kernel memory corruption or system crash.

Affected Systems

All Linux kernel builds that include libceph support and lack the crash_decode patch are affected. This includes any distribution running a kernel prior to the inclusion of the fix that was introduced by the patch referenced in the CVE.

Risk and Exploitability

The flaw requires an attacker to inject a crafted CEPH_MSG_OSD_MAP into the kernel’s processing path, which is likely achievable over the network to a Ceph OSD node. No public exploit has been reported and the EPSS score is unavailable, but the kernel memory corruption nature of the defect warrants a high security importance. The vulnerability is not listed in the CISA KEV catalog, so documented exploitation is currently unknown.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 6e70ef53e818c53eab28d7b0026b7fd03dddaba5
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ebe76d58a48a48031b98543d86c4cd30a825b622
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 3f42508191e129ee6b5ea96578d5cab14f2a013a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ea0d42137f0c06da71e37ffc647aab4c5309599a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< cceb10023e76bc89f3fe9238ebd0ccab0fc7c7c5
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 0f3604cbe4df14c5e58288ac9f57511e726a222d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< fb176a99e4c1a5a8448a83d83d3606203ba81faa
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 4c79fc2d598694bda845b46229c9d48b65042970
`0`	affected	< 5.10.258
`0`	affected	< 5.15.209
`0`	affected	< 6.1.175
`0`	affected	< 6.6.141
`0`	affected	< 6.12.91
`0`	affected	< 6.18.33
`0`	affected	< 7.0.10

Linux

affected

Version	Status	Constraints
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version containing the crash_decode patch (for example, kernel 6.6 or later).
Reboot the affected systems or restart the Ceph OSD services so the updated kernel is active.
If a kernel upgrade cannot be applied immediately, restrict network access to Ceph OSD nodes to trusted hosts to reduce the risk of a crafted CEPH_MSG_OSD_MAP reaching the kernel.

Generated by OpenCVE AI on June 24, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0f3604cbe4df14c5e58288ac9f57511e726a222d
https://git.kernel.org/stable/c/3f42508191e129ee6b5ea96578d5cab14f2a013a
https://git.kernel.org/stable/c/4c79fc2d598694bda845b46229c9d48b65042970
https://git.kernel.org/stable/c/6e70ef53e818c53eab28d7b0026b7fd03dddaba5
https://git.kernel.org/stable/c/cceb10023e76bc89f3fe9238ebd0ccab0fc7c7c5
https://git.kernel.org/stable/c/ea0d42137f0c06da71e37ffc647aab4c5309599a
https://git.kernel.org/stable/c/ebe76d58a48a48031b98543d86c4cd30a825b622
https://git.kernel.org/stable/c/fb176a99e4c1a5a8448a83d83d3606203ba81faa

History

Wed, 24 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in crush_decode() A message of type CEPH_MSG_OSD_MAP containing a crush map with at least one bucket has two fields holding the bucket algorithm. If the values in these two fields differ, an out-of-bounds access can occur. This is the case because the first algorithm field (alg) is used to allocate the correct amount of memory for a bucket of this type, while the second algorithm field inside the bucket (b->alg) is used in the subsequent processing. This patch fixes the issue by adding a check that compares alg and b->alg and aborts the processing in case they differ. Furthermore, b->alg is set to 0 in this case, because the destruction of the crush map also uses this field to determine the bucket type, which can again result in an out-of-bounds access when trying to free the memory pointed to by the fields of the bucket. To correctly free the memory allocated for the bucket in such a case, the corresponding call to kfree is moved from the algorithm-specific crush_destroy_bucket functions to the generic crush_destroy_bucket().
Title		libceph: Fix potential out-of-bounds access in crush_decode()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0f3604cbe4df14c5e58288ac9f57511e726a222d https://git.kernel.org/stable/c/3f42508191e129ee6b5ea96578d5cab14f2a013a https://git.kernel.org/stable/c/4c79fc2d598694bda845b46229c9d48b65042970 https://git.kernel.org/stable/c/6e70ef53e818c53eab28d7b0026b7fd03dddaba5 https://git.kernel.org/stable/c/cceb10023e76bc89f3fe9238ebd0ccab0fc7c7c5 https://git.kernel.org/stable/c/ea0d42137f0c06da71e37ffc647aab4c5309599a https://git.kernel.org/stable/c/ebe76d58a48a48031b98543d86c4cd30a825b622 https://git.kernel.org/stable/c/fb176a99e4c1a5a8448a83d83d3606203ba81faa

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:28:37.748Z

Updated: 2026-06-24T16:28:37.748Z

Reserved: 2026-06-09T07:44:35.373Z

Link: CVE-2026-52955

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:15:15Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object