Skip to main content

Linux Kernel CVE-2026-52955

| EUVDEUVD-2026-38823 CRITICAL
Incorrect Calculation of Buffer Size (CWE-131)
2026-06-24 Linux GHSA-jh5w-4gpm-r5xw
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Attacker must control the Ceph cluster the victim trusts (AC:H), no victim privileges needed (PR:N); most reliable impact is kernel DoS (A:H) with possible limited memory disclosure/corruption (C:L/I:L).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:34 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
CRITICAL 9.8
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential out-of-bounds access in crush_decode()

A message of type CEPH_MSG_OSD_MAP containing a crush map with at least one bucket has two fields holding the bucket algorithm. If the values in these two fields differ, an out-of-bounds access can occur. This is the case because the first algorithm field (alg) is used to allocate the correct amount of memory for a bucket of this type, while the second algorithm field inside the bucket (b->alg) is used in the subsequent processing.

This patch fixes the issue by adding a check that compares alg and b->alg and aborts the processing in case they differ. Furthermore, b->alg is set to 0 in this case, because the destruction of the crush map also uses this field to determine the bucket type, which can again result in an out-of-bounds access when trying to free the memory pointed to by the fields of the bucket. To correctly free the memory allocated for the bucket in such a case, the corresponding call to kfree is moved from the algorithm-specific crush_destroy_bucket functions to the generic crush_destroy_bucket().

AnalysisAI

Out-of-bounds memory access in the Linux kernel's libceph CRUSH map decoder (crush_decode()) lets a malicious or compromised Ceph cluster corrupt kernel memory on a connecting client. A crafted CEPH_MSG_OSD_MAP message whose bucket carries mismatched algorithm fields (alg vs b->alg) causes memory to be allocated for one bucket type but processed and later freed as another, leading to OOB access during decode and again during crush map destruction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control or impersonate Ceph cluster endpoint
Delivery
Craft OSD map with mismatched bucket alg fields
Exploit
Victim kernel client decodes CRUSH map
Execution
Trigger out-of-bounds access in crush_decode
Persist
Kernel memory corruption or panic
Impact
Denial of service / potential code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim host to run the in-kernel Ceph client (libceph, as used by RBD or CephFS) and to process a CEPH_MSG_OSD_MAP message from an attacker-controlled, compromised, or impersonated Ceph cluster. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals conflict sharply and should be read with caution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or has compromised a Ceph monitor/OSD (or can MITM the unauthenticated cluster connection on a shared network) crafts an OSD map whose CRUSH bucket declares one algorithm in the sizing field and a different one in the in-bucket field. When a victim host with the kernel Ceph client connects and decodes this map, crush_decode() walks past the allocated bucket and triggers an out-of-bounds access in kernel context, panicking the system or corrupting kernel memory. …
Remediation Apply your distribution's kernel update that includes this fix; the upstream patched versions are 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, and mainline 7.1 (Vendor-released patch confirmed via the kernel.org stable commits, e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all production systems mounting or connecting to Ceph storage (RBD/CephFS) and document their kernel versions and Ceph configuration. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy