Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-delivered OSD map crashes the client (A:H only), but the attacker must be a trusted/authenticated cluster peer to inject the map, so PR:L rather than PR:N.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
libceph: Fix potential null-ptr-deref in decode_choose_args()
A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an array of max_buckets CRUSH buckets is decoded, where some indices may not refer to actual buckets and are therefore set to NULL. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). When decoding a crush_choose_arg_map, a series of choose_args for different buckets is decoded, with the bucket_index being read from the incoming message. It is only checked that the bucket index does not exceed max_buckets, but not that it doesn't point to an index with a NULL bucket. If a (potentially corrupted) message contains a crush_choose_arg_map including such a bucket_index, a null pointer dereference may occur in the subsequent processing when attempting to access the bucket with the given index.
This patch fixes the issue by extending the affected check. Now, it is only attempted to access the bucket if it is not NULL.
AnalysisAI
Denial of service in the Linux kernel's libceph client allows a malicious or corrupted Ceph cluster to crash the kernel via a null pointer dereference in decode_choose_args(). When processing a CEPH_MSG_OSD_MAP message, a crafted CRUSH map containing choose_args with a bucket_index that points to a NULL (unallocated) bucket triggers the crash, because the code validated only that the index stayed within max_buckets, not that the target bucket was non-NULL. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target host must run the in-kernel libceph client (CephFS or RBD) and process a CEPH_MSG_OSD_MAP message containing an OSD map whose CRUSH map includes an optional choose_args / crush_choose_arg_map section with a bucket_index that is within max_buckets but points to a NULL (unallocated) bucket. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, score 7.5) reflects a network-reachable, unauthenticated, availability-only impact - consistent with the description, which describes a kernel crash (DoS) and no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or has compromised a Ceph cluster component (or can spoof OSD map traffic on the storage network) crafts a CEPH_MSG_OSD_MAP message whose CRUSH map includes a choose_args entry referencing a bucket_index pointing to a NULL bucket slot. When a connected Linux libceph client decodes the map in decode_choose_args(), it dereferences the NULL pointer and the kernel panics, taking the storage client offline. … |
| Remediation | Apply the vendor-released patched kernel for your branch: upgrade to Linux 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or later) as appropriate to your running series, then reboot into the new kernel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running libceph (Ceph clients and cluster participant nodes running affected Linux kernels). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38825
GHSA-7qv9-42rg-qh56