Skip to main content

Linux Kernel CVE-2026-52958

| EUVDEUVD-2026-38826 CRITICAL
Out-of-bounds Read (CWE-125)
2026-06-24 Linux GHSA-xhq7-864q-xxj8
9.1
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
6.5 MEDIUM

AV:N but AC:H because the attacker must control a trusted Ceph monitor/OSD or inject map traffic; impact is mainly a kernel panic (A:H) with limited OOB-read disclosure (C:L), no integrity loss.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:35 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.1 (CRITICAL)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
CRITICAL 9.1
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential out-of-bounds access in osdmap_decode()

When decoding osd_state and osd_weight from an incoming osdmap in osdmap_decode(), both are decoded for each osd, i.e., map->max_osd times. The ceph_decode_need() check only accounts for sizeof(*map->osd_weight) once. This can potentially result in an out-of-bounds memory access if the incoming message is corrupted such that the max_osd value exceeds the actual content of the osdmap message.

This patch fixes the issue by changing the corresponding part in the ceph_decode_need() check to account for map->max_osd*sizeof(*map->osd_weight).

AnalysisAI

Out-of-bounds memory access in the Linux kernel's libceph client (osdmap_decode) lets a malicious or compromised Ceph monitor/OSD send a corrupted OSD map whose max_osd field exceeds the actual message length, reading past the allocated buffer. The flaw affects kernels using the in-kernel Ceph client (RBD/CephFS) and is fixed across multiple stable branches. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position as malicious/compromised Ceph monitor or OSD
Delivery
Send crafted osdmap with inflated max_osd
Exploit
Bypass single-element ceph_decode_need() bounds check
Execution
Out-of-bounds read in osdmap_decode loop
Impact
Kernel panic or memory disclosure on client

Vulnerability AssessmentAI

Exploitation Exploitation requires the target host to be running the in-kernel Ceph client (kernel RBD or CephFS mount) and to receive a corrupted OSD map in which max_osd exceeds the actual osdmap message content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and the headline CVSS overstates real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls a Ceph monitor or OSD (or who can MITM/inject the unauthenticated storage traffic) responds to a kernel RBD/CephFS client with a crafted OSD map whose max_osd field is larger than the message body. When osdmap_decode() loops over the inflated count, it reads beyond the buffer, crashing the client kernel or potentially disclosing adjacent memory. …
Remediation Apply the vendor-released kernel patch: upgrade to a fixed stable release for your branch - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or mainline 7.1 - or your distribution's equivalent backport, then reboot (or live-patch where available). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems using in-kernel Ceph client (RBD/CephFS) and confirm network isolation of Ceph infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy