CVE-2026-52957
Received Received - Intake
Null Pointer Dereference in Linux Kernel Ceph

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential null-ptr-deref in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an array of max_buckets CRUSH buckets is decoded, where some indices may not refer to actual buckets and are therefore set to NULL. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). When decoding a crush_choose_arg_map, a series of choose_args for different buckets is decoded, with the bucket_index being read from the incoming message. It is only checked that the bucket index does not exceed max_buckets, but not that it doesn't point to an index with a NULL bucket. If a (potentially corrupted) message contains a crush_choose_arg_map including such a bucket_index, a null pointer dereference may occur in the subsequent processing when attempting to access the bucket with the given index. This patch fixes the issue by extending the affected check. Now, it is only attempted to access the bucket if it is not NULL.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52957
EUVD
EUVD-2026-38825
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's libceph component, specifically in the decode_choose_args() function. When decoding a CRUSH map from a CEPH_MSG_OSD_MAP message, some bucket indices may be NULL. The vulnerability occurs because the code checks if the bucket index is within the maximum allowed range but does not verify if the bucket at that index is NULL before accessing it. If a corrupted message contains a bucket index pointing to a NULL bucket, a null pointer dereference can happen, potentially causing a crash or other unintended behavior.

Impact Analysis

The vulnerability can lead to a null pointer dereference in the Linux kernel when processing certain CEPH messages. This can cause the system or affected service to crash or behave unpredictably, potentially leading to denial of service or instability in systems using the affected Linux kernel version with Ceph storage components.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52957. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart