libceph: Fix potential out-of-bounds access in osdmap_decode()_CVE-2026-52958

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential out-of-bounds access in osdmap_decode()

When decoding osd_state and osd_weight from an incoming osdmap in
osdmap_decode(), both are decoded for each osd, i.e., map->max_osd
times. The ceph_decode_need() check only accounts for
sizeof(*map->osd_weight) once. This can potentially result in an
out-of-bounds memory access if the incoming message is corrupted such
that the max_osd value exceeds the actual content of the osdmap message.

This patch fixes the issue by changing the corresponding part in the
ceph_decode_need() check to account for
map->max_osd*sizeof(*map->osd_weight).

AI Analysis

Out-of-bounds memory access vulnerability in libceph due to incorrect decoding of osd_state and osd_weight from an incoming osdmap in osdmap_decode().

Basic Information

ID CVE-2026-52958

Source Linux

Published Jun 24, 2026 at 16:28

Modified Jun 28, 2026 at 06:37

Affected Product

Vendor Linux

Product Linux

Version dcbc919a5dc8c2629684a113a90c0b6fe10c3462

Affected Versions Linux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462
Linux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462
Linux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462
Linux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462
Linux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462
Linux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462
Linux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462
Linux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462
Linux Linux 5.3

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Linux

Product Linux Kernel

Version 5.3

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential out-of-bounds access in osdmap_decode()\n\nWhen decoding osd_state and osd_weight from an incoming osdmap in\nosdmap_decode(), both are decoded for each osd, i.e., map->max_osd\ntimes. The ceph_decode_need() check only accounts for\nsizeof(*map->osd_weight) once. This can potentially result in an\nout-of-bounds memory access if the incoming message is corrupted such\nthat the max_osd value exceeds the actual content of the osdmap message.\n\nThis patch fixes the issue by changing the corresponding part in the\nceph_decode_need() check to account for\nmap->max_osd*sizeof(*map->osd_weight).",
    "published": "2026-06-24T16:28:39.723Z",
    "modified": "2026-06-28T06:37:19.643Z",
    "type": "cve",
    "title": "libceph: Fix potential out-of-bounds access in osdmap_decode()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/36a79759a288961b1ff28a68ec2d1f56f6848098\nhttps://git.kernel.org/stable/c/3f2575bb7f955d42569d96c3e04fa958a0dcf4b4\nhttps://git.kernel.org/stable/c/8713bbc4b2b9ad78f803978e54b7e49dd21bd9be\nhttps://git.kernel.org/stable/c/0d2dd7e6bb74fd7712aa73457a4a821906c6863a\nhttps://git.kernel.org/stable/c/e7187f33c02488697ec0d01d82bf7a3f8deaba8f\nhttps://git.kernel.org/stable/c/48df98d12b15360cd56af5c1f460307b340c1197\nhttps://git.kernel.org/stable/c/ee933694645dac062d65fc2743f92bc06fa0db6b\nhttps://git.kernel.org/stable/c/35d0ed82d03e5ee77ea4f31f20e29562a7721649",
    "id": "CVE-2026-52958",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462\nLinux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462\nLinux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462\nLinux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462\nLinux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462\nLinux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462\nLinux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462\nLinux Linux dcbc919a5dc8c2629684a113a90c0b6fe10c3462\nLinux Linux 5.3",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "dcbc919a5dc8c2629684a113a90c0b6fe10c3462",
    "vendor": "Linux",
    "ai_description": "Out-of-bounds memory access vulnerability in libceph due to incorrect decoding of osd_state and osd_weight from an incoming osdmap in osdmap_decode().",
    "ai_severity": "Critical",
    "ai_vendor": "Linux",
    "ai_product": "Linux Kernel",
    "ai_version": "5.3",
    "ai_score": 9.1
}