CVE-2026-52954

Source
https://cve.org/CVERecord?id=CVE-2026-52954
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52954.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52954
Downstream
Related
Published
2026-06-24T16:28:36.992Z
Modified
2026-07-16T03:30:48.075818525Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
libceph: handle rbtree insertion error in decode_choose_args()
Details

In the Linux kernel, the following vulnerability has been resolved:

libceph: handle rbtree insertion error in decodechooseargs()

A message of type CEPHMSGOSDMAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain chooseargs that get decoded in decodechooseargs(). In this function, numchooseargmaps is read from the message, and a corresponding number of crushchooseargmaps gets decoded afterwards. Each crushchooseargmap has a chooseargsindex, which serves as the key when inserting it into the chooseargs rbtree of the decoded crushmap. If a (potentially corrupted) message contains two crushchooseargmaps with the same index, the assertion in insertchooseargmap() triggers a kernel BUG when trying to insert the second crushchooseargmap.

This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails.

[ idryomov: changelog ]

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52954.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5cf9c4a9959b6273675310d14a834ef14fbca37c
Fixed
c7bf7864e2924fa5508ac270b0e9364bc13d5a6c
Fixed
f47430fc1f815e87406e2d3b4e476eff1bc7fd9b
Fixed
0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da
Fixed
534ebc08df97c47d4c7596f336fa31ecbf91519c
Fixed
80c73bd1b2b04355d1d0c29be8ccbd25a380905d
Fixed
4d2b37abda9536808655830d683dc491d31741a8
Fixed
0a1265a9ab875f92b6a3ffb497404f46cf9d76a3
Fixed
d289478cfc0bcf81c7914200d6abdcb78bd04ded

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52954.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.13.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52954.json"