Description
In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential out-of-bounds access in osdmap_decode()

When decoding osd_state and osd_weight from an incoming osdmap in
osdmap_decode(), both are decoded for each osd, i.e., map->max_osd
times. The ceph_decode_need() check only accounts for
sizeof(*map->osd_weight) once. This can potentially result in an
out-of-bounds memory access if the incoming message is corrupted such
that the max_osd value exceeds the actual content of the osdmap message.

This patch fixes the issue by changing the corresponding part in the
ceph_decode_need() check to account for
map->max_osd*sizeof(*map->osd_weight).
Published: 2026-06-24
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A boundary check bug in the Linux kernel’s libceph osdmap_decode function can cause an out‑of‑bounds read or write when decoding osd_state and osd_weight data. The flaw arises because the ceph_decode_need() check only verifies a single element of the osd_weight array instead of accounting for the entire map of maximum OSD entries, allowing memory corruption or data leakage if an incoming message reports a max_osd larger than the actual data size.

Affected Systems

All Linux kernel installations that include the libceph module are potentially affected; the CVE does not specify a version range, so any kernel before the patch that introduced the corrected ceph_decode_need() check remains vulnerable.

Risk and Exploitability

The likely attack vector is an attacker who can send a malformed Ceph OSD map to the kernel, such as through Ceph network traffic or a local client with Ceph protocol access. Based on the description, exploitation would read or overwrite kernel memory, potentially leading to a crash or elevation of privilege; however, the exploit requires crafting the message and targeting systems that receive Ceph data. The CVSS score of 9.1 indicates high severity, while the EPSS score of <1% suggests a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of known exploits in the wild.

Generated by OpenCVE AI on June 28, 2026 at 13:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the osdmap_decode bounds check fix
  • Restrict network traffic to Ceph services to trusted, authenticated sources to limit exposure to malformed messages
  • Enable kernel memory protection features such as SMAP or CONFIG_SAFE_KERNEL to mitigate the impact of any remaining memory errors

Generated by OpenCVE AI on June 28, 2026 at 13:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}


Fri, 26 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-125

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-125

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in osdmap_decode() When decoding osd_state and osd_weight from an incoming osdmap in osdmap_decode(), both are decoded for each osd, i.e., map->max_osd times. The ceph_decode_need() check only accounts for sizeof(*map->osd_weight) once. This can potentially result in an out-of-bounds memory access if the incoming message is corrupted such that the max_osd value exceeds the actual content of the osdmap message. This patch fixes the issue by changing the corresponding part in the ceph_decode_need() check to account for map->max_osd*sizeof(*map->osd_weight).
Title libceph: Fix potential out-of-bounds access in osdmap_decode()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:37:19.643Z

Reserved: 2026-06-09T07:44:35.373Z

Link: CVE-2026-52958

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52958 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input