Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attacker must control the Ceph cluster the victim trusts (AC:H), no victim privileges needed (PR:N); most reliable impact is kernel DoS (A:H) with possible limited memory disclosure/corruption (C:L/I:L).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
libceph: Fix potential out-of-bounds access in crush_decode()
A message of type CEPH_MSG_OSD_MAP containing a crush map with at least one bucket has two fields holding the bucket algorithm. If the values in these two fields differ, an out-of-bounds access can occur. This is the case because the first algorithm field (alg) is used to allocate the correct amount of memory for a bucket of this type, while the second algorithm field inside the bucket (b->alg) is used in the subsequent processing.
This patch fixes the issue by adding a check that compares alg and b->alg and aborts the processing in case they differ. Furthermore, b->alg is set to 0 in this case, because the destruction of the crush map also uses this field to determine the bucket type, which can again result in an out-of-bounds access when trying to free the memory pointed to by the fields of the bucket. To correctly free the memory allocated for the bucket in such a case, the corresponding call to kfree is moved from the algorithm-specific crush_destroy_bucket functions to the generic crush_destroy_bucket().
AnalysisAI
Out-of-bounds memory access in the Linux kernel's libceph CRUSH map decoder (crush_decode()) lets a malicious or compromised Ceph cluster corrupt kernel memory on a connecting client. A crafted CEPH_MSG_OSD_MAP message whose bucket carries mismatched algorithm fields (alg vs b->alg) causes memory to be allocated for one bucket type but processed and later freed as another, leading to OOB access during decode and again during crush map destruction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim host to run the in-kernel Ceph client (libceph, as used by RBD or CephFS) and to process a CEPH_MSG_OSD_MAP message from an attacker-controlled, compromised, or impersonated Ceph cluster. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals conflict sharply and should be read with caution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or has compromised a Ceph monitor/OSD (or can MITM the unauthenticated cluster connection on a shared network) crafts an OSD map whose CRUSH bucket declares one algorithm in the sizing field and a different one in the in-bucket field. When a victim host with the kernel Ceph client connects and decodes this map, crush_decode() walks past the allocated bucket and triggers an out-of-bounds access in kernel context, panicking the system or corrupting kernel memory. … |
| Remediation | Apply your distribution's kernel update that includes this fix; the upstream patched versions are 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, and mainline 7.1 (Vendor-released patch confirmed via the kernel.org stable commits, e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all production systems mounting or connecting to Ceph storage (RBD/CephFS) and document their kernel versions and Ceph configuration. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-131 – Incorrect Calculation of Buffer Size
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38823
GHSA-jh5w-4gpm-r5xw