CVE-2026-52956
Analyzed Analyzed - Analysis Complete

Out-of-Bounds Access in Linux Kernel Ceph

Vulnerability report for CVE-2026-52956, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in __ceph_x_decrypt() In __ceph_x_decrypt(), a part of the buffer p is interpreted as a ceph_x_encrypt_header, and the magic field of this struct is accessed. This happens without any guarantee that the buffer is large enough to hold this struct. The function parameter ciphertext_len represents the length of the ciphertext to decrypt and is guaranteed to be at most the remaining size of the allocated buffer p. However, this value is not necessarily greater than sizeof(ceph_x_encrypt_header). E.g., a message frame of type FRAME_TAG_AUTH_REPLY_MORE, that is just as long to hold the ciphertext at its end with a ciphertext_len of 8 or less, can trigger an out-of-bounds memory access when accessing hdr->magic. This patch fixes the issue by adding a check to ensure that the decrypted plaintext in the buffer is large enough to represent at least the ceph_x_encrypt_header.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 4.10 (inc) to 7.0.10 (exc)
linux linux_kernel From 4.9.6 (inc) to 4.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's libceph component, specifically in the __ceph_x_decrypt() function. The issue arises because the function interprets part of a buffer as a ceph_x_encrypt_header struct and accesses its magic field without ensuring the buffer is large enough to hold this struct. If the ciphertext length is smaller than the size of the struct, an out-of-bounds memory access can occur, potentially leading to memory corruption or crashes.

The vulnerability is fixed by adding a check to ensure the decrypted plaintext buffer is large enough to contain at least the ceph_x_encrypt_header before accessing its fields.

Impact Analysis

This vulnerability can lead to out-of-bounds memory access in the Linux kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service. The exact impact depends on how the vulnerable function is used and whether an attacker can control the input to trigger the out-of-bounds access.

Mitigation Strategies

The vulnerability in the Linux kernel related to libceph's __ceph_x_decrypt() function has been fixed by adding a check to ensure the decrypted plaintext buffer is large enough to hold the ceph_x_encrypt_header structure.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart