CVE-2026-52954
Received Received - Intake
Memory Corruption in Linux Kernel CRUSH Map Handling

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: libceph: handle rbtree insertion error in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). In this function, num_choose_arg_maps is read from the message, and a corresponding number of crush_choose_arg_maps gets decoded afterwards. Each crush_choose_arg_map has a choose_args_index, which serves as the key when inserting it into the choose_args rbtree of the decoded crush_map. If a (potentially corrupted) message contains two crush_choose_arg_maps with the same index, the assertion in insert_choose_arg_map() triggers a kernel BUG when trying to insert the second crush_choose_arg_map. This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails. [ idryomov: changelog ]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52954
EUVD
EUVD-2026-38822
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's libceph component, specifically in the handling of rbtree insertion errors within the decode_choose_args() function.

A message of type CEPH_MSG_OSD_MAP contains an OSD map which includes a CRUSH map. The CRUSH map may contain choose_args that are decoded in decode_choose_args(). During decoding, multiple crush_choose_arg_maps are inserted into a red-black tree (rbtree) using their choose_args_index as the key.

If a corrupted message contains two crush_choose_arg_maps with the same choose_args_index, the insertion triggers an assertion failure in insert_choose_arg_map(), causing a kernel BUG (crash).

The fix changes the insertion to a non-asserting function and rejects messages that fail insertion, preventing the kernel crash.

Impact Analysis

This vulnerability can cause a kernel BUG (crash) when processing specially crafted CEPH_MSG_OSD_MAP messages containing corrupted CRUSH maps with duplicate choose_args_index values.

Such a crash can lead to denial of service (DoS) on the affected system, potentially disrupting services relying on the Linux kernel and Ceph storage.

Mitigation Strategies

The vulnerability is fixed by a patch that changes the insertion method in the Linux kernel's libceph component to a non-asserting rbtree insertion function and rejects messages if insertion fails.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this patch resolving the issue in decode_choose_args().

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart