CVE-2026-52954

Enriched by CISA
 

In the Linux kernel, the following vulnerability has been resolved: libceph: handle rbtree insertion error in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). In this function, num_choose_arg_maps is read from the message, and a corresponding number of crush_choose_arg_maps gets decoded afterwards. Each crush_choose_arg_map has a choose_args_index, which serves as the key when inserting it into the choose_args rbtree of the decoded crush_map. If a (potentially corrupted) message contains two crush_choose_arg_maps with the same index, the assertion in insert_choose_arg_map() triggers a kernel BUG when trying to insert the second crush_choose_arg_map. This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails. [ idryomov: changelog ]
https://nvd.nist.gov/vuln/detail/CVE-2026-52954

Categories

No category defined

References


 

AFFECTED (from MITRE)

Vendor Product Versions
Linux Linux
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < c7bf7864e2924fa5508ac270b0e9364bc13d5a6c [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < f47430fc1f815e87406e2d3b4e476eff1bc7fd9b [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 534ebc08df97c47d4c7596f336fa31ecbf91519c [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 80c73bd1b2b04355d1d0c29be8ccbd25a380905d [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 4d2b37abda9536808655830d683dc491d31741a8 [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 0a1265a9ab875f92b6a3ffb497404f46cf9d76a3 [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < d289478cfc0bcf81c7914200d6abdcb78bd04ded [affected]
  • < 5.10.258 [affected]
  • < 5.15.209 [affected]
  • < 6.1.175 [affected]
  • < 6.6.141 [affected]
  • < 6.12.91 [affected]
  • < 6.18.33 [affected]
  • < 7.0.10 [affected]
Linux Linux
  • 5.10.258 ≤ 5.10.* [unaffected]
  • 5.15.209 ≤ 5.15.* [unaffected]
  • 6.1.175 ≤ 6.1.* [unaffected]
  • 6.6.141 ≤ 6.6.* [unaffected]
  • 6.12.91 ≤ 6.12.* [unaffected]
  • 6.18.33 ≤ 6.18.* [unaffected]
  • 7.0.10 ≤ 7.0.* [unaffected]
  • 7.1 ≤ * [unaffected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end
Configuration 1
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 5.10.258
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 5.15.209
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 6.1.175
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 6.6.141
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 6.12.91
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 6.18.33
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 7.0.10
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 7.1

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry