Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-delivered malformed OSD map with low complexity crashes the kernel; PR:N per the Ceph protocol's pre-trust connection, no confidentiality or integrity impact, availability High.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
libceph: handle rbtree insertion error in decode_choose_args()
A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). In this function, num_choose_arg_maps is read from the message, and a corresponding number of crush_choose_arg_maps gets decoded afterwards. Each crush_choose_arg_map has a choose_args_index, which serves as the key when inserting it into the choose_args rbtree of the decoded crush_map. If a (potentially corrupted) message contains two crush_choose_arg_maps with the same index, the assertion in insert_choose_arg_map() triggers a kernel BUG when trying to insert the second crush_choose_arg_map.
This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails.
[ idryomov: changelog ]
AnalysisAI
Denial of service in the Linux kernel's libceph (Ceph client) subsystem allows a malicious or compromised Ceph monitor/OSD to crash a connected client by sending a crafted CEPH_MSG_OSD_MAP whose embedded CRUSH map carries two choose_args maps sharing the same choose_args_index. The duplicate index trips an assertion in insert_choose_arg_map() during decode_choose_args(), triggering a kernel BUG and panic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the victim to be running the in-kernel Ceph client (libceph, via RBD or CephFS) and to process an OSD map from a source the attacker controls, compromises, or can MITM - i.e., a malicious/subverted Ceph monitor or OSD, or injection on an unauthenticated/unencrypted cluster channel. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent but point to a moderate, niche risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or compromises a Ceph monitor/OSD - or who can MITM the unencrypted cluster channel of a kernel Ceph client - sends a crafted CEPH_MSG_OSD_MAP containing a CRUSH map with two choose_args maps using the same choose_args_index. When the victim kernel decodes it, insert_choose_arg_map() hits the assertion and the kernel BUGs, crashing the client host. … |
| Remediation | Apply the vendor-released stable kernel update for your branch: upgrade to 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 or later, whichever matches your series, then reboot into the patched kernel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Linux systems with Ceph client (libceph) functionality and their role in production services. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38822
GHSA-2rwm-p2mw-2gwh