Skip to main content

Linux Kernel CVE-2026-52954

| EUVDEUVD-2026-38822 HIGH
Reachable Assertion (CWE-617)
2026-06-24 Linux GHSA-2rwm-p2mw-2gwh
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-delivered malformed OSD map with low complexity crashes the kernel; PR:N per the Ceph protocol's pre-trust connection, no confidentiality or integrity impact, availability High.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:33 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
HIGH 7.5
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

libceph: handle rbtree insertion error in decode_choose_args()

A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). In this function, num_choose_arg_maps is read from the message, and a corresponding number of crush_choose_arg_maps gets decoded afterwards. Each crush_choose_arg_map has a choose_args_index, which serves as the key when inserting it into the choose_args rbtree of the decoded crush_map. If a (potentially corrupted) message contains two crush_choose_arg_maps with the same index, the assertion in insert_choose_arg_map() triggers a kernel BUG when trying to insert the second crush_choose_arg_map.

This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails.

[ idryomov: changelog ]

AnalysisAI

Denial of service in the Linux kernel's libceph (Ceph client) subsystem allows a malicious or compromised Ceph monitor/OSD to crash a connected client by sending a crafted CEPH_MSG_OSD_MAP whose embedded CRUSH map carries two choose_args maps sharing the same choose_args_index. The duplicate index trips an assertion in insert_choose_arg_map() during decode_choose_args(), triggering a kernel BUG and panic. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise or impersonate Ceph monitor/OSD
Delivery
Craft CRUSH map with duplicate choose_args_index
Exploit
Send malicious CEPH_MSG_OSD_MAP to client
Execution
decode_choose_args inserts second map
Persist
Assertion fails in insert_choose_arg_map
Impact
Kernel BUG and panic (DoS)

Vulnerability AssessmentAI

Exploitation Requires the victim to be running the in-kernel Ceph client (libceph, via RBD or CephFS) and to process an OSD map from a source the attacker controls, compromises, or can MITM - i.e., a malicious/subverted Ceph monitor or OSD, or injection on an unauthenticated/unencrypted cluster channel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent but point to a moderate, niche risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or compromises a Ceph monitor/OSD - or who can MITM the unencrypted cluster channel of a kernel Ceph client - sends a crafted CEPH_MSG_OSD_MAP containing a CRUSH map with two choose_args maps using the same choose_args_index. When the victim kernel decodes it, insert_choose_arg_map() hits the assertion and the kernel BUGs, crashing the client host. …
Remediation Apply the vendor-released stable kernel update for your branch: upgrade to 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 or later, whichever matches your series, then reboot into the patched kernel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems with Ceph client (libceph) functionality and their role in production services. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy