CVE-2026-52957 - Vulnerability Details

- libceph: Fix potential null-ptr-deref in decode_choose_args()

Description

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential null-ptr-deref in decode_choose_args()

A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an
array of max_buckets CRUSH buckets is decoded, where some indices may
not refer to actual buckets and are therefore set to NULL. The received
CRUSH map may optionally contain choose_args that get decoded in
decode_choose_args(). When decoding a crush_choose_arg_map, a series of
choose_args for different buckets is decoded, with the bucket_index
being read from the incoming message. It is only checked that the bucket
index does not exceed max_buckets, but not that it doesn't point to an
index with a NULL bucket. If a (potentially corrupted) message contains
a crush_choose_arg_map including such a bucket_index, a null pointer
dereference may occur in the subsequent processing when attempting to
access the bucket with the given index.

This patch fixes the issue by extending the affected check. Now, it is
only attempted to access the bucket if it is not NULL.

Published: 2026-06-24

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The libceph component of the Linux kernel contains a flaw where the function that decodes choose arguments in a Crush map can dereference a null pointer when a bucket index points to a NULL bucket. This causes the kernel to attempt to access an invalid memory location, leading to a crash and loss of kernel stability. The impact is a denial of service on the affected node.

Affected Systems

Linux kernel installations that use Ceph storage via libceph and have not applied the recent commit that fixes the check are affected. The vulnerability is present in any kernel version containing the libceph code before the patch; specific version numbers are not supplied, so all prior kernel releases that handle CEPH_MSG_OSD_MAP messages are considered vulnerable.

Risk and Exploitability

The CVSS score is not disclosed and the EPSS is not available, but the vulnerability can crash the kernel when a corrupted CEPH message is processed. An attacker who can inject malformed CEPH_MSG_OSD_MAP traffic into the system might trigger the null-pointer dereference, resulting in a kernel panic and interruption of services. Since the system must be listening for Ceph traffic to be exploitable, the attack vector is the network side of Ceph message handling, which is inferred from the description.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d55ffad8d422b5d1cc44dad32bd3d25f4471cd9f
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 301286c0ccd37d66b0e40786fd35a4f19cdbd88a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 7169f326a23d0f547fcd90e68b72fd387622e126
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d7a65a34d2453f8cd3e0cc0e1319740af7e24276
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 312ec973efac0efb9b9ed64214235910e9ecbaa8
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f2f95e6d4b97e70bb876139b0583fc8079983f85
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< a20e16ebfe2fa65348eb4b2dc7deac330ce03e9c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf
`0`	affected	< 5.10.258
`0`	affected	< 5.15.209
`0`	affected	< 6.1.175
`0`	affected	< 6.6.141
`0`	affected	< 6.12.91
`0`	affected	< 6.18.33
`0`	affected	< 7.0.10

Linux

affected

Version	Status	Constraints
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d55ffad8d422b5d1cc44dad32bd3d25f4471cd9f)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,301286c0ccd37d66b0e40786fd35a4f19cdbd88a)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,7169f326a23d0f547fcd90e68b72fd387622e126)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d7a65a34d2453f8cd3e0cc0e1319740af7e24276)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,312ec973efac0efb9b9ed64214235910e9ecbaa8)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f2f95e6d4b97e70bb876139b0583fc8079983f85)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a20e16ebfe2fa65348eb4b2dc7deac330ce03e9c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf)`	affected	code_commit	—
`[0,5.10.258)`	affected	generic	—
`[0,5.15.209)`	affected	generic	—
`[0,6.1.175)`	affected	generic	—
`[0,6.6.141)`	affected	generic	—
`[0,6.12.91)`	affected	generic	—
`[0,6.18.33)`	affected	generic	—
`[0,7.0.10)`	affected	generic	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.258,5.10.*]`	unaffected	generic	—
`[5.15.209,5.15.*]`	unaffected	generic	—
`[6.1.175,6.1.*]`	unaffected	generic	—
`[6.6.141,6.6.*]`	unaffected	generic	—
`[6.12.91,6.12.*]`	unaffected	generic	—
`[6.18.33,6.18.*]`	unaffected	generic	—
`[7.0.10,7.0.*]`	unaffected	generic	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the libceph patch introduced by commit 28b0a2ab8c82d
If a kernel upgrade is not possible, manually apply the patch to the kernel source tree to correct the null pointer dereference in decode_choose_args
Restrict or monitor Ceph network traffic so that malformed CEPH_MSG_OSD_MAP messages cannot reach vulnerable nodes

Generated by OpenCVE AI on June 24, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00184.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf
https://git.kernel.org/stable/c/301286c0ccd37d66b0e40786fd35a4f19cdbd88a
https://git.kernel.org/stable/c/312ec973efac0efb9b9ed64214235910e9ecbaa8
https://git.kernel.org/stable/c/7169f326a23d0f547fcd90e68b72fd387622e126
https://git.kernel.org/stable/c/a20e16ebfe2fa65348eb4b2dc7deac330ce03e9c
https://git.kernel.org/stable/c/d55ffad8d422b5d1cc44dad32bd3d25f4471cd9f
https://git.kernel.org/stable/c/d7a65a34d2453f8cd3e0cc0e1319740af7e24276
https://git.kernel.org/stable/c/f2f95e6d4b97e70bb876139b0583fc8079983f85

History

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential null-ptr-deref in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an array of max_buckets CRUSH buckets is decoded, where some indices may not refer to actual buckets and are therefore set to NULL. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). When decoding a crush_choose_arg_map, a series of choose_args for different buckets is decoded, with the bucket_index being read from the incoming message. It is only checked that the bucket index does not exceed max_buckets, but not that it doesn't point to an index with a NULL bucket. If a (potentially corrupted) message contains a crush_choose_arg_map including such a bucket_index, a null pointer dereference may occur in the subsequent processing when attempting to access the bucket with the given index. This patch fixes the issue by extending the affected check. Now, it is only attempted to access the bucket if it is not NULL.
Title		libceph: Fix potential null-ptr-deref in decode_choose_args()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf https://git.kernel.org/stable/c/301286c0ccd37d66b0e40786fd35a4f19cdbd88a https://git.kernel.org/stable/c/312ec973efac0efb9b9ed64214235910e9ecbaa8 https://git.kernel.org/stable/c/7169f326a23d0f547fcd90e68b72fd387622e126 https://git.kernel.org/stable/c/a20e16ebfe2fa65348eb4b2dc7deac330ce03e9c https://git.kernel.org/stable/c/d55ffad8d422b5d1cc44dad32bd3d25f4471cd9f https://git.kernel.org/stable/c/d7a65a34d2453f8cd3e0cc0e1319740af7e24276 https://git.kernel.org/stable/c/f2f95e6d4b97e70bb876139b0583fc8079983f85

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:28:39.066Z

Updated: 2026-06-24T16:28:39.066Z

Reserved: 2026-06-09T07:44:35.373Z

Link: CVE-2026-52957

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T21:30:04Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object