In the Linux kernel, the following vulnerability has been resolved:
libceph: Fix potential out-of-bounds access in osdmap_decode()
When decoding osdstate and osdweight from an incoming osdmap in osdmapdecode(), both are decoded for each osd, i.e., map->maxosd times. The cephdecodeneed() check only accounts for sizeof(*map->osdweight) once. This can potentially result in an out-of-bounds memory access if the incoming message is corrupted such that the maxosd value exceeds the actual content of the osdmap message.
This patch fixes the issue by changing the corresponding part in the cephdecodeneed() check to account for map->maxosd*sizeof(*map->osdweight).
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52958.json",
"cna_assigner": "Linux"
}