CVE-2026-52954
Analyzed Analyzed - Analysis Complete

Memory Corruption in Linux Kernel CRUSH Map Handling

Vulnerability report for CVE-2026-52954, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: libceph: handle rbtree insertion error in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). In this function, num_choose_arg_maps is read from the message, and a corresponding number of crush_choose_arg_maps gets decoded afterwards. Each crush_choose_arg_map has a choose_args_index, which serves as the key when inserting it into the choose_args rbtree of the decoded crush_map. If a (potentially corrupted) message contains two crush_choose_arg_maps with the same index, the assertion in insert_choose_arg_map() triggers a kernel BUG when trying to insert the second crush_choose_arg_map. This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails. [ idryomov: changelog ]

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.2 (inc) to 6.6.141 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.91 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.33 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 4.13 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed by a patch that changes the insertion method in the Linux kernel's libceph component to a non-asserting rbtree insertion function and rejects messages if insertion fails.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this patch resolving the issue in decode_choose_args().

Executive Summary

This vulnerability exists in the Linux kernel's libceph component, specifically in the handling of rbtree insertion errors within the decode_choose_args() function.

A message of type CEPH_MSG_OSD_MAP contains an OSD map which includes a CRUSH map. The CRUSH map may contain choose_args that are decoded in decode_choose_args(). During decoding, multiple crush_choose_arg_maps are inserted into a red-black tree (rbtree) using their choose_args_index as the key.

If a corrupted message contains two crush_choose_arg_maps with the same choose_args_index, the insertion triggers an assertion failure in insert_choose_arg_map(), causing a kernel BUG (crash).

The fix changes the insertion to a non-asserting function and rejects messages that fail insertion, preventing the kernel crash.

Impact Analysis

This vulnerability can cause a kernel BUG (crash) when processing specially crafted CEPH_MSG_OSD_MAP messages containing corrupted CRUSH maps with duplicate choose_args_index values.

Such a crash can lead to denial of service (DoS) on the affected system, potentially disrupting services relying on the Linux kernel and Ceph storage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart