CVE-2026-52955

Enriched by CISA
 

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in crush_decode() A message of type CEPH_MSG_OSD_MAP containing a crush map with at least one bucket has two fields holding the bucket algorithm. If the values in these two fields differ, an out-of-bounds access can occur. This is the case because the first algorithm field (alg) is used to allocate the correct amount of memory for a bucket of this type, while the second algorithm field inside the bucket (b->alg) is used in the subsequent processing. This patch fixes the issue by adding a check that compares alg and b->alg and aborts the processing in case they differ. Furthermore, b->alg is set to 0 in this case, because the destruction of the crush map also uses this field to determine the bucket type, which can again result in an out-of-bounds access when trying to free the memory pointed to by the fields of the bucket. To correctly free the memory allocated for the bucket in such a case, the corresponding call to kfree is moved from the algorithm-specific crush_destroy_bucket functions to the generic crush_destroy_bucket().
https://nvd.nist.gov/vuln/detail/CVE-2026-52955

Categories

No category defined

References


 

AFFECTED (from MITRE)

Vendor Product Versions
Linux Linux
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 6e70ef53e818c53eab28d7b0026b7fd03dddaba5 [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ebe76d58a48a48031b98543d86c4cd30a825b622 [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3f42508191e129ee6b5ea96578d5cab14f2a013a [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ea0d42137f0c06da71e37ffc647aab4c5309599a [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < cceb10023e76bc89f3fe9238ebd0ccab0fc7c7c5 [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 0f3604cbe4df14c5e58288ac9f57511e726a222d [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < fb176a99e4c1a5a8448a83d83d3606203ba81faa [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 4c79fc2d598694bda845b46229c9d48b65042970 [affected]
  • < 5.10.258 [affected]
  • < 5.15.209 [affected]
  • < 6.1.175 [affected]
  • < 6.6.141 [affected]
  • < 6.12.91 [affected]
  • < 6.18.33 [affected]
  • < 7.0.10 [affected]
Linux Linux
  • 5.10.258 ≤ 5.10.* [unaffected]
  • 5.15.209 ≤ 5.15.* [unaffected]
  • 6.1.175 ≤ 6.1.* [unaffected]
  • 6.6.141 ≤ 6.6.* [unaffected]
  • 6.12.91 ≤ 6.12.* [unaffected]
  • 6.18.33 ≤ 6.18.* [unaffected]
  • 7.0.10 ≤ 7.0.* [unaffected]
  • 7.1 ≤ * [unaffected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end
Configuration 1
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 5.10.258
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 5.15.209
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 6.1.175
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 6.6.141
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 6.12.91
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 6.18.33
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 7.0.10
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 7.1

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry