libceph: Use u32 for non-negative values in ceph_monmap_decode()_CVE-2026-43405

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

libceph: Use u32 for non-negative values in ceph_monmap_decode()

This patch fixes unnecessary implicit conversions that change signedness
of blob_len and num_mon in ceph_monmap_decode().
Currently blob_len and num_mon are (signed) int variables. They are used
to hold values that are always non-negative and get assigned in
ceph_decode_32_safe(), which is meant to assign u32 values. Both
variables are subsequently used as unsigned values, and the value of
num_mon is further assigned to monmap->num_mon, which is of type u32.
Therefore, both variables should be of type u32. This is especially
relevant for num_mon. If the value read from the incoming message is
very large, it is interpreted as a negative value, and the check for
num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to
allocate a very large chunk of memory for monmap, which will most likely
fail. In this case, an unnecessary attempt to allocate memory is
performed, and -ENOMEM is returned instead of -EINVAL.

Basic Information

ID CVE-2026-43405

Source Linux

Published May 8, 2026 at 14:21

Modified May 11, 2026 at 06:34

Affected Product

Vendor Linux

Product Linux

Version a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c

Affected Versions Linux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c
Linux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c
Linux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c
Linux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c
Linux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c
Linux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c
Linux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c
Linux Linux 5.11

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Use u32 for non-negative values in ceph_monmap_decode()\n\nThis patch fixes unnecessary implicit conversions that change signedness\nof blob_len and num_mon in ceph_monmap_decode().\nCurrently blob_len and num_mon are (signed) int variables. They are used\nto hold values that are always non-negative and get assigned in\nceph_decode_32_safe(), which is meant to assign u32 values. Both\nvariables are subsequently used as unsigned values, and the value of\nnum_mon is further assigned to monmap->num_mon, which is of type u32.\nTherefore, both variables should be of type u32. This is especially\nrelevant for num_mon. If the value read from the incoming message is\nvery large, it is interpreted as a negative value, and the check for\nnum_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to\nallocate a very large chunk of memory for monmap, which will most likely\nfail. In this case, an unnecessary attempt to allocate memory is\nperformed, and -ENOMEM is returned instead of -EINVAL.",
    "published": "2026-05-08T14:21:45.581Z",
    "modified": "2026-05-11T06:34:13.538Z",
    "type": "cve",
    "title": "libceph: Use u32 for non-negative values in ceph_monmap_decode()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/ee5588e2bc41acb73f6676c0520420c107cd0140\nhttps://git.kernel.org/stable/c/86f7060cd638d6eb042e8ed780fb83a59ca0dcb3\nhttps://git.kernel.org/stable/c/5f2806684b05bd24d05c091083b8e2517ba8ffac\nhttps://git.kernel.org/stable/c/b268984ae88cb0dcd7a8e8263962c748448e26e8\nhttps://git.kernel.org/stable/c/ba0a4df8c563536857dcbf7b4dbd0f2a15f57ace\nhttps://git.kernel.org/stable/c/08bc6173fd611ad5a40f472bf5f15b92aea0fe40\nhttps://git.kernel.org/stable/c/770444611f047dbfd4517ec0bc1b179d40c2f346",
    "id": "CVE-2026-43405",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c\nLinux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c\nLinux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c\nLinux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c\nLinux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c\nLinux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c\nLinux Linux a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c\nLinux Linux 5.11",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply