CVE-2026-52956
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in __ceph_x_decrypt() In __ceph_x_decrypt(), a part of the buffer p is interpreted as a ceph_x_encrypt_header, and the magic field of this struct is accessed. This happens without any guarantee that the buffer is large enough to hold this struct. The function parameter ciphertext_len represents the length of the ciphertext to decrypt and is guaranteed to be at most the remaining size of the allocated buffer p. However, this value is not necessarily greater than sizeof(ceph_x_encrypt_header). E.g., a message frame of type FRAME_TAG_AUTH_REPLY_MORE, that is just as long to hold the ciphertext at its end with a ciphertext_len of 8 or less, can trigger an out-of-bounds memory access when accessing hdr->magic. This patch fixes the issue by adding a check to ensure that the decrypted plaintext in the buffer is large enough to represent at least the ceph_x_encrypt_header.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52956
EUVD
EUVD-2026-38824
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's libceph component, specifically in the __ceph_x_decrypt() function. The issue arises because the function interprets part of a buffer as a ceph_x_encrypt_header struct and accesses its magic field without ensuring the buffer is large enough to hold this struct. If the ciphertext length is smaller than the size of the struct, an out-of-bounds memory access can occur, potentially leading to memory corruption or crashes.

The vulnerability is fixed by adding a check to ensure the decrypted plaintext buffer is large enough to contain at least the ceph_x_encrypt_header before accessing its fields.

Impact Analysis

This vulnerability can lead to out-of-bounds memory access in the Linux kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service. The exact impact depends on how the vulnerable function is used and whether an attacker can control the input to trigger the out-of-bounds access.

Mitigation Strategies

The vulnerability in the Linux kernel related to libceph's __ceph_x_decrypt() function has been fixed by adding a check to ensure the decrypted plaintext buffer is large enough to hold the ceph_x_encrypt_header structure.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart