CVE-2026-52957
Analyzed Analyzed - Analysis Complete

Null Pointer Dereference in Linux Kernel Ceph

Vulnerability report for CVE-2026-52957, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential null-ptr-deref in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an array of max_buckets CRUSH buckets is decoded, where some indices may not refer to actual buckets and are therefore set to NULL. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). When decoding a crush_choose_arg_map, a series of choose_args for different buckets is decoded, with the bucket_index being read from the incoming message. It is only checked that the bucket index does not exceed max_buckets, but not that it doesn't point to an index with a NULL bucket. If a (potentially corrupted) message contains a crush_choose_arg_map including such a bucket_index, a null pointer dereference may occur in the subsequent processing when attempting to access the bucket with the given index. This patch fixes the issue by extending the affected check. Now, it is only attempted to access the bucket if it is not NULL.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 4.13
linux linux_kernel 4.13
linux linux_kernel 4.13
linux linux_kernel 4.13
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.2 (inc) to 6.6.141 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.91 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.33 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 4.13.1 (inc) to 5.10.258 (exc)
linux linux_kernel 4.13

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's libceph component, specifically in the decode_choose_args() function. When decoding a CRUSH map from a CEPH_MSG_OSD_MAP message, some bucket indices may be NULL. The vulnerability occurs because the code checks if the bucket index is within the maximum allowed range but does not verify if the bucket at that index is NULL before accessing it. If a corrupted message contains a bucket index pointing to a NULL bucket, a null pointer dereference can happen, potentially causing a crash or other unintended behavior.

Impact Analysis

The vulnerability can lead to a null pointer dereference in the Linux kernel when processing certain CEPH messages. This can cause the system or affected service to crash or behave unpredictably, potentially leading to denial of service or instability in systems using the affected Linux kernel version with Ceph storage components.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52957. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart