How is CVE-2026-52958 exploited?

Network reachability (required): The vulnerable parsing code is triggered by an incoming osdmap message, so an attacker must be able to reach the Ceph messaging endpoint over the network to deliver a crafted message. Authentication (not-required): The CVSS vector specifies PR:N, meaning no credentials or account privileges are needed to send a message that triggers the vulnerable code path. Victim interaction (not-required): The CVSS vector specifies UI:N, so no user action is required; the kernel processes the malicious message automatically upon receipt. Attack complexity (info): The CVSS vector specifies AC:L, meaning the exploit is reliable and requires no special environmental conditions, race windows, or memory-layout knowledge.

What is the impact of CVE-2026-52958?

An attacker who can send a crafted osdmap message reads regions of kernel memory beyond the allocated osd_weight buffer, potentially exposing kernel pointers, cryptographic material, or data from adjacent allocations. The out-of-bounds access can corrupt kernel heap memory, crashing the host or destabilizing the kernel's Ceph client subsystem, denying storage access to all workloads on that node. A crashed or destabilized Ceph client node loses connectivity to its Ceph cluster, making any persistent volumes backed by that cluster unavailable to running containers on the host.

Back to search

CRITICALCVE-2026-52958Published 2026-06-24Modified 2026-06-28CNA Linux

CVE-2026-52958: libceph: Fix potential out-of-bounds access in osdmap_decode()

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in osdmap_decode() When decoding osd_state and osd_weight from an incoming osdmap in osdmap_decode(), both are decoded for each osd, i.e., map->max_osd times. The ceph_decode_need() check only accounts for sizeof(*map->osd_weight) once. This can potentially result in an out-of-bounds memory access if the incoming message is corrupted such that the max_osd value exceeds the actual content of the osdmap message. This patch fixes the issue by changing the corresponding part in the ceph_decode_need() check to account for map->max_osd*sizeof(*map->osd_weight).

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

An out-of-bounds memory read and write vulnerability exists in the Linux kernel's libceph subsystem, specifically inside the osdmap_decode() function used to parse incoming OSD map messages from a Ceph cluster. The flaw is reachable over the network with no authentication required, because a remote attacker or a compromised Ceph monitor can send a crafted osdmap message with an inflated max_osd value that causes the kernel to read or write past the end of an allocated buffer. Successful exploitation leaks kernel memory contents and can crash the affected host. A patched-image rebuild at the fix commits is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected kernel or kernel modules. Images in connected registries and active CI pipelines are both covered.

Available

Triage

HarborGuard scores this CVE at 9.1 CRITICAL (CVSS v3.1) and is capable of weighting that score against each environment's compliance policy to determine urgency. Triage findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild targeting the fix commits is available on HarborGuard for environments confirmed to be running an affected kernel version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the new image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable parsing code is triggered by an incoming osdmap message, so an attacker must be able to reach the Ceph messaging endpoint over the network to deliver a crafted message.
AuthenticationNot required
The CVSS vector specifies PR:N, meaning no credentials or account privileges are needed to send a message that triggers the vulnerable code path.
Victim interactionNot required
The CVSS vector specifies UI:N, so no user action is required; the kernel processes the malicious message automatically upon receipt.
Attack complexityDetail
The CVSS vector specifies AC:L, meaning the exploit is reliable and requires no special environmental conditions, race windows, or memory-layout knowledge.

Blast Radius

An attacker who can send a crafted osdmap message reads regions of kernel memory beyond the allocated osd_weight buffer, potentially exposing kernel pointers, cryptographic material, or data from adjacent allocations.
The out-of-bounds access can corrupt kernel heap memory, crashing the host or destabilizing the kernel's Ceph client subsystem, denying storage access to all workloads on that node.
A crashed or destabilized Ceph client node loses connectivity to its Ceph cluster, making any persistent volumes backed by that cluster unavailable to running containers on the host.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image in a customer registry or pipeline that ships an affected Linux kernel version. For environments where the fix commits have been integrated into a base image, a patched rebuild is available immediately. Where compliance policy permits auto-remediation, HarborGuard can rebuild the image, run regression tests, and open a pull request against affected workloads; for high and critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where a kernel upgrade is not immediately feasible, compensating controls to consider include network-policy rules that restrict which pods or hosts can initiate or receive Ceph monitor traffic, and egress filtering to limit exposure of the Ceph messaging port to trusted monitor addresses only. HarborGuard re-checks the advisory on every ingest cycle and will surface any additional fix commits as upstream stable trees backport the patch.

See how HarborGuard automates this

Fix available

00d2dd7e6bb74fd7712aa73457a4a821906c6863a35d0ed82d03e5ee77ea4f31f20e29562a772164936a79759a288961b1ff28a68ec2d1f56f68480983f2575bb7f955d42569d96c3e04fa958a0dcf4b448df98d12b15360cd56af5c1f460307b340c11975.10.2585.15.2096.1.1756.6.1416.12.916.18.337.0.107.18713bbc4b2b9ad78f803978e54b7e49dd21bd9bee7187f33c02488697ec0d01d82bf7a3f8deaba8fee933694645dac062d65fc2743f92bc06fa0db6b

Affected packages

Linux / Linux
< 36a79759a288961b1ff28a68ec2d1f56f6848098 (from dcbc919a5dc8c2629684a113a90c0b6fe10c3462) · < 3f2575bb7f955d42569d96c3e04fa958a0dcf4b4 (from dcbc919a5dc8c2629684a113a90c0b6fe10c3462) · < 8713bbc4b2b9ad78f803978e54b7e49dd21bd9be (from dcbc919a5dc8c2629684a113a90c0b6fe10c3462) · < 0d2dd7e6bb74fd7712aa73457a4a821906c6863a (from dcbc919a5dc8c2629684a113a90c0b6fe10c3462) · < e7187f33c02488697ec0d01d82bf7a3f8deaba8f (from dcbc919a5dc8c2629684a113a90c0b6fe10c3462) · < 48df98d12b15360cd56af5c1f460307b340c1197 (from dcbc919a5dc8c2629684a113a90c0b6fe10c3462)
Linux / Linux
5.3
Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available