{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-52955: libceph: Fix potential out-of-bounds access in crush_decode()","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-52955","status":"final","version":"1","initial_release_date":"2026-06-24T16:28:37.748Z","current_release_date":"2026-06-28T06:37:14.892Z","revision_history":[{"date":"2026-06-24T16:28:37.748Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential out-of-bounds access in crush_decode()\n\nA message of type CEPH_MSG_OSD_MAP containing a crush map with at least\none bucket has two fields holding the bucket algorithm. If the values\nin these two fields differ, an out-of-bounds access can occur. This is\nthe case because the first algorithm field (alg) is used to allocate\nthe correct amount of memory for a bucket of this type, while the second\nalgorithm field inside the bucket (b->alg) is used in the subsequent\nprocessing.\n\nThis patch fixes the issue by adding a check that compares alg and\nb->alg and aborts the processing in case they differ. Furthermore,\nb->alg is set to 0 in this case, because the destruction of the crush\nmap also uses this field to determine the bucket type, which can again\nresult in an out-of-bounds access when trying to free the memory pointed\nto by the fields of the bucket. To correctly free the memory allocated\nfor the bucket in such a case, the corresponding call to kfree is moved\nfrom the algorithm-specific crush_destroy_bucket functions to the\ngeneric crush_destroy_bucket().","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-52955 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-52955"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-52955"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/6e70ef53e818c53eab28d7b0026b7fd03dddaba5"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/ebe76d58a48a48031b98543d86c4cd30a825b622"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/3f42508191e129ee6b5ea96578d5cab14f2a013a"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/ea0d42137f0c06da71e37ffc647aab4c5309599a"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/cceb10023e76bc89f3fe9238ebd0ccab0fc7c7c5"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/0f3604cbe4df14c5e58288ac9f57511e726a222d"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/fb176a99e4c1a5a8448a83d83d3606203ba81faa"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/4c79fc2d598694bda845b46229c9d48b65042970"}]},"product_tree":{"branches":[{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version_range","name":">=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <6e70ef53e818c53eab28d7b0026b7fd03dddaba5","product":{"name":"Linux Linux >=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <6e70ef53e818c53eab28d7b0026b7fd03dddaba5","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <ebe76d58a48a48031b98543d86c4cd30a825b622","product":{"name":"Linux Linux >=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <ebe76d58a48a48031b98543d86c4cd30a825b622","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <3f42508191e129ee6b5ea96578d5cab14f2a013a","product":{"name":"Linux Linux >=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <3f42508191e129ee6b5ea96578d5cab14f2a013a","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <ea0d42137f0c06da71e37ffc647aab4c5309599a","product":{"name":"Linux Linux >=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <ea0d42137f0c06da71e37ffc647aab4c5309599a","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <cceb10023e76bc89f3fe9238ebd0ccab0fc7c7c5","product":{"name":"Linux Linux >=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <cceb10023e76bc89f3fe9238ebd0ccab0fc7c7c5","product_id":"CSAFPID-5","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <0f3604cbe4df14c5e58288ac9f57511e726a222d","product":{"name":"Linux Linux >=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <0f3604cbe4df14c5e58288ac9f57511e726a222d","product_id":"CSAFPID-6","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <fb176a99e4c1a5a8448a83d83d3606203ba81faa","product":{"name":"Linux Linux >=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <fb176a99e4c1a5a8448a83d83d3606203ba81faa","product_id":"CSAFPID-7","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <4c79fc2d598694bda845b46229c9d48b65042970","product":{"name":"Linux Linux >=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <4c79fc2d598694bda845b46229c9d48b65042970","product_id":"CSAFPID-8","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":"<5.10.258","product":{"name":"Linux Linux <5.10.258","product_id":"CSAFPID-9","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":"<5.15.209","product":{"name":"Linux Linux <5.15.209","product_id":"CSAFPID-10","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":"<6.1.175","product":{"name":"Linux Linux <6.1.175","product_id":"CSAFPID-11","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":"<6.6.141","product":{"name":"Linux Linux <6.6.141","product_id":"CSAFPID-12","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":"<6.12.91","product":{"name":"Linux Linux <6.12.91","product_id":"CSAFPID-13","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":"<6.18.33","product":{"name":"Linux Linux <6.18.33","product_id":"CSAFPID-14","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":"<7.0.10","product":{"name":"Linux Linux <7.0.10","product_id":"CSAFPID-15","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version","name":"*","product":{"name":"Linux Linux *","product_id":"CSAFPID-16","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"5.10.258","product":{"name":"Linux Linux 5.10.258","product_id":"CSAFPID-17","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"5.15.209","product":{"name":"Linux Linux 5.15.209","product_id":"CSAFPID-18","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.1.175","product":{"name":"Linux Linux 6.1.175","product_id":"CSAFPID-19","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.6.141","product":{"name":"Linux Linux 6.6.141","product_id":"CSAFPID-20","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.12.91","product":{"name":"Linux Linux 6.12.91","product_id":"CSAFPID-21","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.18.33","product":{"name":"Linux Linux 6.18.33","product_id":"CSAFPID-22","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.0.10","product":{"name":"Linux Linux 7.0.10","product_id":"CSAFPID-23","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.1","product":{"name":"Linux Linux 7.1","product_id":"CSAFPID-24","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-52955","title":"libceph: Fix potential out-of-bounds access in crush_decode()","notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential out-of-bounds access in crush_decode()\n\nA message of type CEPH_MSG_OSD_MAP containing a crush map with at least\none bucket has two fields holding the bucket algorithm. If the values\nin these two fields differ, an out-of-bounds access can occur. This is\nthe case because the first algorithm field (alg) is used to allocate\nthe correct amount of memory for a bucket of this type, while the second\nalgorithm field inside the bucket (b->alg) is used in the subsequent\nprocessing.\n\nThis patch fixes the issue by adding a check that compares alg and\nb->alg and aborts the processing in case they differ. Furthermore,\nb->alg is set to 0 in this case, because the destruction of the crush\nmap also uses this field to determine the bucket type, which can again\nresult in an out-of-bounds access when trying to free the memory pointed\nto by the fields of the bucket. To correctly free the memory allocated\nfor the bucket in such a case, the corresponding call to kfree is moved\nfrom the algorithm-specific crush_destroy_bucket functions to the\ngeneric crush_destroy_bucket().","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8","CSAFPID-9","CSAFPID-10","CSAFPID-11","CSAFPID-12","CSAFPID-13","CSAFPID-14","CSAFPID-15","CSAFPID-16"],"fixed":["CSAFPID-17","CSAFPID-18","CSAFPID-19","CSAFPID-20","CSAFPID-21","CSAFPID-22","CSAFPID-23","CSAFPID-24"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8","CSAFPID-9","CSAFPID-10","CSAFPID-11","CSAFPID-12","CSAFPID-13","CSAFPID-14","CSAFPID-15","CSAFPID-16"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 0f3604cbe4df14c5e58288ac9f57511e726a222d, 3f42508191e129ee6b5ea96578d5cab14f2a013a, 4c79fc2d598694bda845b46229c9d48b65042970, 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 6e70ef53e818c53eab28d7b0026b7fd03dddaba5, 7.0.10, 7.1, cceb10023e76bc89f3fe9238ebd0ccab0fc7c7c5, ea0d42137f0c06da71e37ffc647aab4c5309599a, ebe76d58a48a48031b98543d86c4cd30a825b622, fb176a99e4c1a5a8448a83d83d3606203ba81faa.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8","CSAFPID-9","CSAFPID-10","CSAFPID-11","CSAFPID-12","CSAFPID-13","CSAFPID-14","CSAFPID-15","CSAFPID-16"]}]}]}