Skip to main content

Linux Kernel CVE-2026-52956

| EUVDEUVD-2026-38824 HIGH
Out-of-bounds Read (CWE-125)
2026-06-24 Linux GHSA-wvxf-4p9h-5vg9
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable Ceph handshake with no auth (AV:N/PR:N/UI:N); out-of-bounds read crashes the kernel, yielding availability-only impact (C:N/I:N/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:35 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
HIGH 7.5
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()

In __ceph_x_decrypt(), a part of the buffer p is interpreted as a ceph_x_encrypt_header, and the magic field of this struct is accessed. This happens without any guarantee that the buffer is large enough to hold this struct. The function parameter ciphertext_len represents the length of the ciphertext to decrypt and is guaranteed to be at most the remaining size of the allocated buffer p. However, this value is not necessarily greater than sizeof(ceph_x_encrypt_header). E.g., a message frame of type FRAME_TAG_AUTH_REPLY_MORE, that is just as long to hold the ciphertext at its end with a ciphertext_len of 8 or less, can trigger an out-of-bounds memory access when accessing hdr->magic.

This patch fixes the issue by adding a check to ensure that the decrypted plaintext in the buffer is large enough to represent at least the ceph_x_encrypt_header.

AnalysisAI

Denial of service in the Linux kernel's libceph (Ceph client) component allows a malicious or compromised Ceph peer to crash a connecting host during the CephX authentication handshake. The flaw lives in __ceph_x_decrypt(), which reads a ceph_x_encrypt_header (notably hdr->magic) from a decrypted buffer without first verifying the buffer is large enough - a FRAME_TAG_AUTH_REPLY_MORE frame carrying a ciphertext_len of 8 or fewer bytes triggers an out-of-bounds memory access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position as Ceph peer or MITM handshake
Delivery
Send crafted AUTH_REPLY_MORE frame (ciphertext_len ≤ 8)
Exploit
__ceph_x_decrypt reads hdr->magic out-of-bounds
Execution
Kernel out-of-bounds access faults
Impact
Client node crashes (denial of service)

Vulnerability AssessmentAI

Exploitation Exploitation requires the target Linux host to be running the in-kernel Ceph client (RBD or CephFS via libceph) and to engage the CephX v2 messenger authentication exchange with an attacker-controlled, compromised, or man-in-the-middle Ceph peer. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point to a genuine but moderate, availability-only risk rather than a top-priority emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or has compromised a Ceph peer (or can man-in-the-middle the v2 messenger handshake) sends a crafted FRAME_TAG_AUTH_REPLY_MORE frame with a ciphertext_len of 8 bytes or fewer to a Linux host acting as a Ceph client. When __ceph_x_decrypt() reads hdr->magic past the end of the undersized buffer, the kernel performs an out-of-bounds access and crashes, denying service to the affected node. …
Remediation Vendor-released patch: update to Linux kernel 7.0.10 or 7.1 (or later), which add the length check ensuring the decrypted plaintext is at least sizeof(ceph_x_encrypt_header) before the header is dereferenced; the upstream fixes are commits c7e9b53aebe401970f1b5f5a01b4e021b18e8bb2 and 821365487aa58d06bda65c676ba215d506ba9768 (https://git.kernel.org/stable/c/c7e9b53aebe401970f1b5f5a01b4e021b18e8bb2 and https://git.kernel.org/stable/c/821365487aa58d06bda65c676ba215d506ba9768). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Linux systems with libceph/Ceph client in production and assess criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52956 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy