Skip to main content

Linux Kernel CVE-2026-43406

| EUVDEUVD-2026-28712 CRITICAL
Out-of-bounds Read (CWE-125)
2026-05-08 Linux GHSA-pfqf-x57j-qhgm
Critical
Disputed · 9.1 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:33 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
9.1 (CRITICAL)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:21 nvd
CRITICAL 9.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

libceph: prevent potential out-of-bounds reads in process_message_header()

If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header().

Perform an explicit bounds check before decoding the message header.

AnalysisAI

Out-of-bounds memory reads in Linux kernel's libceph messaging layer allow remote unauthenticated attackers to disclose kernel memory or trigger denial-of-service via malformed Ceph protocol frames. The vulnerability exists in process_message_header() when message frames are corrupted to make the control segment length smaller than the message header size, bypassing length validation. Vendor patches available for stable kernel versions 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% and no KEV listing suggest limited real-world exploitation observed despite network-accessible attack vector and unauthenticated access. Critical CVSS score of 9.1 reflects worst-case impact (high confidentiality and availability risk) if Ceph storage networking is exposed.

Technical ContextAI

The vulnerability resides in the Linux kernel's libceph library, which implements the client-side protocol for Ceph distributed storage systems. Ceph uses a custom network protocol with message framing that includes control segments and message headers. The process_message_header() function decodes incoming message frames but lacked bounds checking before reading the message header structure. An attacker can craft malicious frames where the control segment length field is smaller than sizeof(struct ceph_msg_header) or make non-message frames appear as message frames. This causes the decoder to read past the allocated buffer boundary, potentially leaking kernel memory contents or causing kernel crashes. The affected code path handles network input directly, making it reachable without authentication if Ceph client services are network-accessible. The fix adds explicit length validation before decoding: if (control_len < sizeof(struct ceph_msg_header)) reject the frame. This is a classic input validation failure where network protocol parsers trust attacker-controlled length fields without verifying buffer boundaries first.

RemediationAI

Upgrade to patched kernel versions: 5.15.203 or later for 5.15.x branch, 6.1.167+ for 6.1.x, 6.6.130+ for 6.6.x, 6.12.78+ for 6.12.x, 6.18.19+ for 6.18.x, 6.19.9+ for 6.19.x, or mainline 7.0+. Patches available from git.kernel.org stable tree with verification via commit hashes provided in references. Organizations unable to immediately patch should implement compensating controls: isolate Ceph storage networks using VLANs or separate physical networks with firewall rules blocking Ceph protocol ports (default TCP 6789 for monitors, 6800-7300 for OSDs) from untrusted networks. Configure Ceph authentication (cephx) to require cryptographic authentication for all client connections, which adds protocol integrity checks that may prevent malformed frames from reaching vulnerable code paths, though this is not a complete mitigation since authentication occurs after frame parsing. Monitor Ceph cluster logs for connection errors or unusual frame processing failures. Note that network isolation is the most effective workaround but limits legitimate access; cephx authentication adds defense-in-depth but does not eliminate the underlying parser vulnerability. Kernel live patching solutions (kpatch, kGraft) may provide non-disruptive remediation for production systems where reboot scheduling is complex.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy