Skip to main content

Linux Kernel CVE-2026-52957

| EUVDEUVD-2026-38825 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-24 Linux GHSA-7qv9-42rg-qh56
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-delivered OSD map crashes the client (A:H only), but the attacker must be a trusted/authenticated cluster peer to inject the map, so PR:L rather than PR:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:35 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
HIGH 7.5
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential null-ptr-deref in decode_choose_args()

A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an array of max_buckets CRUSH buckets is decoded, where some indices may not refer to actual buckets and are therefore set to NULL. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). When decoding a crush_choose_arg_map, a series of choose_args for different buckets is decoded, with the bucket_index being read from the incoming message. It is only checked that the bucket index does not exceed max_buckets, but not that it doesn't point to an index with a NULL bucket. If a (potentially corrupted) message contains a crush_choose_arg_map including such a bucket_index, a null pointer dereference may occur in the subsequent processing when attempting to access the bucket with the given index.

This patch fixes the issue by extending the affected check. Now, it is only attempted to access the bucket if it is not NULL.

AnalysisAI

Denial of service in the Linux kernel's libceph client allows a malicious or corrupted Ceph cluster to crash the kernel via a null pointer dereference in decode_choose_args(). When processing a CEPH_MSG_OSD_MAP message, a crafted CRUSH map containing choose_args with a bucket_index that points to a NULL (unallocated) bucket triggers the crash, because the code validated only that the index stayed within max_buckets, not that the target bucket was non-NULL. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain control of or spoof Ceph cluster traffic
Delivery
Craft malicious OSD map with bad choose_args
Exploit
Send CEPH_MSG_OSD_MAP to libceph client
Execution
Client decodes NULL bucket_index
Persist
Null pointer dereference in kernel
Impact
Kernel panic, denial of service

Vulnerability AssessmentAI

Exploitation The target host must run the in-kernel libceph client (CephFS or RBD) and process a CEPH_MSG_OSD_MAP message containing an OSD map whose CRUSH map includes an optional choose_args / crush_choose_arg_map section with a bucket_index that is within max_buckets but points to a NULL (unallocated) bucket. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, score 7.5) reflects a network-reachable, unauthenticated, availability-only impact - consistent with the description, which describes a kernel crash (DoS) and no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or has compromised a Ceph cluster component (or can spoof OSD map traffic on the storage network) crafts a CEPH_MSG_OSD_MAP message whose CRUSH map includes a choose_args entry referencing a bucket_index pointing to a NULL bucket slot. When a connected Linux libceph client decodes the map in decode_choose_args(), it dereferences the NULL pointer and the kernel panics, taking the storage client offline. …
Remediation Apply the vendor-released patched kernel for your branch: upgrade to Linux 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or later) as appropriate to your running series, then reboot into the new kernel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running libceph (Ceph clients and cluster participant nodes running affected Linux kernels). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52957 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy