Description
In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()

In __ceph_x_decrypt(), a part of the buffer p is interpreted as a
ceph_x_encrypt_header, and the magic field of this struct is accessed.
This happens without any guarantee that the buffer is large enough to
hold this struct. The function parameter ciphertext_len represents the
length of the ciphertext to decrypt and is guaranteed to be at most the
remaining size of the allocated buffer p. However, this value is not
necessarily greater than sizeof(ceph_x_encrypt_header). E.g., a message
frame of type FRAME_TAG_AUTH_REPLY_MORE, that is just as long to hold
the ciphertext at its end with a ciphertext_len of 8 or less, can
trigger an out-of-bounds memory access when accessing hdr->magic.

This patch fixes the issue by adding a check to ensure that the
decrypted plaintext in the buffer is large enough to represent at least
the ceph_x_encrypt_header.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the Linux kernel’s Ceph decryption routine __ceph_x_decrypt(). While decrypting a message, the routine interprets part of the buffer as a ceph_x_encrypt_header and reads its magic field without verifying that the buffer is large enough to contain this header. The missing size check allows an out-of-bounds read if the ciphertext length is shorter than the header structure. This read can expose kernel memory contents and, if the read value is used later in kernel logic, could lead to a kernel panic or denial of service. No evidence in the description indicates privilege escalation.

Affected Systems

Any Linux kernel that loads the libceph module is potentially affected. The available information does not specify affected kernel releases or version ranges; therefore, all builds that include libceph and have not yet received the updated patch are in scope.

Risk and Exploitability

The CVSS base score is 7.5, reflecting high severity. The EPSS score is less than 1%, indicating a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need the ability to inject or manipulate Ceph traffic to trigger the decryption routine with a specially crafted short ciphertext, thereby causing the out‑of‑bounds read. No public exploit is cited in the provided references, so the threat remains theoretical at present.

Generated by OpenCVE AI on June 28, 2026 at 13:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the __ceph_x_decrypt bounds‑check fix
  • If Ceph connectivity is not required, remove or blacklist the libceph module to eliminate the vulnerable code path
  • Monitor Ceph traffic for unexpected messages and consider temporarily disabling Ceph client services until the patch is applied

Generated by OpenCVE AI on June 28, 2026 at 13:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Fri, 26 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in __ceph_x_decrypt() In __ceph_x_decrypt(), a part of the buffer p is interpreted as a ceph_x_encrypt_header, and the magic field of this struct is accessed. This happens without any guarantee that the buffer is large enough to hold this struct. The function parameter ciphertext_len represents the length of the ciphertext to decrypt and is guaranteed to be at most the remaining size of the allocated buffer p. However, this value is not necessarily greater than sizeof(ceph_x_encrypt_header). E.g., a message frame of type FRAME_TAG_AUTH_REPLY_MORE, that is just as long to hold the ciphertext at its end with a ciphertext_len of 8 or less, can trigger an out-of-bounds memory access when accessing hdr->magic. This patch fixes the issue by adding a check to ensure that the decrypted plaintext in the buffer is large enough to represent at least the ceph_x_encrypt_header.
Title libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-01T12:08:01.634Z

Reserved: 2026-06-09T07:44:35.373Z

Link: CVE-2026-52956

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52956 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses