Skip to main content

Linux Kernel CVE-2026-43405

| EUVDEUVD-2026-28711 HIGH
Use of Uninitialized Resource (CWE-908)
2026-05-08 Linux GHSA-5r63-pv2h-4jqg
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:33 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:21 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

libceph: Use u32 for non-negative values in ceph_monmap_decode()

This patch fixes unnecessary implicit conversions that change signedness of blob_len and num_mon in ceph_monmap_decode(). Currently blob_len and num_mon are (signed) int variables. They are used to hold values that are always non-negative and get assigned in ceph_decode_32_safe(), which is meant to assign u32 values. Both variables are subsequently used as unsigned values, and the value of num_mon is further assigned to monmap->num_mon, which is of type u32. Therefore, both variables should be of type u32. This is especially relevant for num_mon. If the value read from the incoming message is very large, it is interpreted as a negative value, and the check for num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to allocate a very large chunk of memory for monmap, which will most likely fail. In this case, an unnecessary attempt to allocate memory is performed, and -ENOMEM is returned instead of -EINVAL.

AnalysisAI

Integer signedness vulnerability in Linux kernel's Ceph networking library (libceph) allows remote attackers to trigger denial of service via crafted monitor map messages. The flaw enables bypassing memory allocation limits by exploiting signed/unsigned integer confusion in ceph_monmap_decode(), causing excessive memory allocation attempts that crash the system. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and 0.02% EPSS score, this represents a network-reachable DoS vector against systems using Ceph storage, though low exploitation probability suggests limited attacker interest. Patches available across all maintained kernel branches (5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).

Technical ContextAI

The vulnerability resides in libceph, the Linux kernel's client library for the Ceph distributed storage system. Ceph uses a cluster of monitors to maintain authoritative cluster state, communicated via 'monmap' (monitor map) messages. The ceph_monmap_decode() function parses incoming monmaps using ceph_decode_32_safe() to extract blob_len and num_mon fields as signed integers, but these values represent u32 wire-format data. When a maliciously crafted monmap contains a num_mon value greater than 0x7FFFFFFF, it's interpreted as negative due to signed integer overflow, bypassing the boundary check (num_mon > CEPH_MAX_MON). The kernel then attempts to allocate memory based on the unsigned interpretation of this value (potentially gigabytes or terabytes), causing allocation failure and system instability. This is a classic integer signedness mismatch (similar to CWE-195/CWE-681) where protocol parsing trusts network-supplied size fields without proper type safety.

RemediationAI

Upgrade to patched kernel versions: 5.15.203+ (LTS), 6.1.167+ (LTS), 6.6.130+ (stable), 6.12.78+ (stable), 6.18.19+ (stable), 6.19.9+ (stable), or 7.0+ (mainline). Patches backported to all maintained stable branches per https://git.kernel.org/stable/. For systems that cannot immediately patch, disable Ceph client functionality if not operationally required (blacklist ceph.ko and libceph.ko kernel modules via modprobe.d, requires reboot or module unload). For production Ceph deployments requiring continuous operation, implement network segmentation to restrict monitor connections to trusted management networks only - use iptables/nftables to whitelist monitor IPs on Ceph client nodes, blocking untrusted sources from TCP port 6789 (Ceph monitor default). Note this workaround reduces but does not eliminate risk if attackers compromise trusted network segments. Verify kernel config with 'grep CONFIG_CEPH_LIB /boot/config-$(uname -r)' - if not set or =n, system is not vulnerable. Post-patch, monitor for allocation failures in dmesg/journalctl as potential exploitation indicators.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43405 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy