HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-52955Published Modified CNA Linux

CVE-2026-52955: libceph: Fix potential out-of-bounds access in crush_decode()

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in crush_decode() A message of type CEPH_MSG_OSD_MAP containing a crush map with at least one bucket has two fields holding the bucket algorithm. If the values in these two fields differ, an out-of-bounds access can occur. This is the case because the first algorithm field (alg) is used to allocate the correct amount of memory for a bucket of this type, while the second algorithm field inside the bucket (b->alg) is used in the subsequent processing. This patch fixes the issue by adding a check that compares alg and b->alg and aborts the processing in case they differ. Furthermore, b->alg is set to 0 in this case, because the destruction of the crush map also uses this field to determine the bucket type, which can again result in an out-of-bounds access when trying to free the memory pointed to by the fields of the bucket. To correctly free the memory allocated for the bucket in such a case, the corresponding call to kfree is moved from the algorithm-specific crush_destroy_bucket functions to the generic crush_destroy_bucket().

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0f3604cbe4df14c5e58288ac9f57511e726a222d
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds memory access vulnerability exists in the Linux kernel's libceph component, specifically in the crush_decode() function that parses CRUSH map messages received over the network. A remote, unauthenticated attacker can send a crafted CEPH_MSG_OSD_MAP message containing a CRUSH map bucket with mismatched algorithm fields, triggering the out-of-bounds access. Successful exploitation gives the attacker full read, write, and crash capability over the affected system. Patched-image rebuilds at the fixed kernel versions (5.10.258 and 5.15.209) are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-52955 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream Linux kernel advisory feeds. Coverage extends to custom-built images that bundle affected kernel packages, not just images pulled from public registries.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 9.8 Critical and weighting it against each customer organization's per-environment compliance policy to determine urgency and routing. Triage findings are routable to the appropriate team inbox within each customer org based on their configured notification rules.

Available
Patch

A patched-image rebuild targeting the fixed kernel versions (5.10.258 or 5.15.209, plus the corresponding commit identifiers) becomes available in HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Ceph OSD messaging service over the network; the vulnerability is exposed to any host that can send a CEPH_MSG_OSD_MAP message to the target.

  • AuthenticationNot required

    No credentials or account are needed; the crafted CRUSH map message can be sent without authenticating to the target.

  • Victim interactionNot required

    No user action is needed; the kernel processes the incoming OSD map message automatically without any interaction from a logged-in user.

  • Attack complexityDetail

    The exploit is reliable and condition-free; crafting a CRUSH map bucket with mismatched algorithm fields is a straightforward message construction with no race conditions or environmental dependencies.

Blast Radius

  • Reads arbitrary kernel memory, exposing sensitive data such as cryptographic keys, session tokens, and in-memory credentials.
  • Writes to arbitrary kernel memory locations, allowing modification of kernel data structures, security policies, or persisted data.
  • Crashes the affected kernel, taking down all workloads and services running on the host.
  • Provides a primitive for local privilege escalation or container escape in environments where Ceph client functionality is active inside a container.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-52955 is active across all connected registries and CI pipelines, matching any image that includes an affected Linux kernel package (pre-5.10.258 or pre-5.15.209 on the relevant stable branches). For customers who opt into auto-remediation, HarborGuard will rebuild affected images at a patched kernel version, run regression tests against the rebuilt image, and open a pull request targeting the affected workload repositories; for critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with CVSS 9.8 Critical scoring and routes it to the configured team inbox so engineers can act manually. As compensating controls while a patch is being applied, consider applying network policy to restrict which hosts can reach Ceph OSD ports, enabling egress filtering to limit unsolicited inbound OSD map traffic, and isolating Ceph client workloads to dedicated nodes with tightened pod security policies.

See how HarborGuard automates this

Fix available

0f3604cbe4df14c5e58288ac9f57511e726a222d3f42508191e129ee6b5ea96578d5cab14f2a013a4c79fc2d598694bda845b46229c9d48b650429705.10.2585.15.2096.1.1756.6.1416.12.916.18.336e70ef53e818c53eab28d7b0026b7fd03dddaba57.0.107.1cceb10023e76bc89f3fe9238ebd0ccab0fc7c7c5ea0d42137f0c06da71e37ffc647aab4c5309599aebe76d58a48a48031b98543d86c4cd30a825b622fb176a99e4c1a5a8448a83d83d3606203ba81faa
Affected packages
  • Linux / Linux
    < 6e70ef53e818c53eab28d7b0026b7fd03dddaba5 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < ebe76d58a48a48031b98543d86c4cd30a825b622 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 3f42508191e129ee6b5ea96578d5cab14f2a013a (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < ea0d42137f0c06da71e37ffc647aab4c5309599a (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < cceb10023e76bc89f3fe9238ebd0ccab0fc7c7c5 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 0f3604cbe4df14c5e58288ac9f57511e726a222d (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2)
  • Linux / Linux
    Fixed in 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References