In the Linux kernel, the following vulnerability has been resolved:
libceph: handle rbtree insertion error in decodechooseargs()
A message of type CEPHMSGOSDMAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain chooseargs that get decoded in decodechooseargs(). In this function, numchooseargmaps is read from the message, and a corresponding number of crushchooseargmaps gets decoded afterwards. Each crushchooseargmap has a chooseargsindex, which serves as the key when inserting it into the chooseargs rbtree of the decoded crushmap. If a (potentially corrupted) message contains two crushchooseargmaps with the same index, the assertion in insertchooseargmap() triggers a kernel BUG when trying to insert the second crushchooseargmap.
This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails.
[ idryomov: changelog ]
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52954.json"
}