7.5

CVE-2026-52954

libceph: handle rbtree insertion error in decode_choose_args()

In the Linux kernel, the following vulnerability has been resolved:

libceph: handle rbtree insertion error in decode_choose_args()

A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
contains a CRUSH map. The received CRUSH map may optionally contain
choose_args that get decoded in decode_choose_args(). In this function,
num_choose_arg_maps is read from the message, and a corresponding number
of crush_choose_arg_maps gets decoded afterwards. Each
crush_choose_arg_map has a choose_args_index, which serves as the key
when inserting it into the choose_args rbtree of the decoded crush_map.
If a (potentially corrupted) message contains two crush_choose_arg_maps
with the same index, the assertion in insert_choose_arg_map() triggers a
kernel BUG when trying to insert the second crush_choose_arg_map.

This patch fixes the issue by switching to the non-asserting rbtree
insertion function and rejecting the message if the insertion fails.

[ idryomov: changelog ]
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version 5cf9c4a9959b6273675310d14a834ef14fbca37c
Version < c7bf7864e2924fa5508ac270b0e9364bc13d5a6c
Status affected
Version 5cf9c4a9959b6273675310d14a834ef14fbca37c
Version < f47430fc1f815e87406e2d3b4e476eff1bc7fd9b
Status affected
Version 5cf9c4a9959b6273675310d14a834ef14fbca37c
Version < 0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da
Status affected
Version 5cf9c4a9959b6273675310d14a834ef14fbca37c
Version < 534ebc08df97c47d4c7596f336fa31ecbf91519c
Status affected
Version 5cf9c4a9959b6273675310d14a834ef14fbca37c
Version < 80c73bd1b2b04355d1d0c29be8ccbd25a380905d
Status affected
Version 5cf9c4a9959b6273675310d14a834ef14fbca37c
Version < 4d2b37abda9536808655830d683dc491d31741a8
Status affected
Version 5cf9c4a9959b6273675310d14a834ef14fbca37c
Version < 0a1265a9ab875f92b6a3ffb497404f46cf9d76a3
Status affected
Version 5cf9c4a9959b6273675310d14a834ef14fbca37c
Version < d289478cfc0bcf81c7914200d6abdcb78bd04ded
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 4.13
Status affected
Version 0
Version < 4.13
Status unaffected
Version <= 5.10.*
Version 5.10.258
Status unaffected
Version <= 5.15.*
Version 5.15.209
Status unaffected
Version <= 6.1.*
Version 6.1.175
Status unaffected
Version <= 6.6.*
Version 6.6.141
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.53% 0.408
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/c7bf7864e2924fa5508ac270b0e9364bc13d5a6c
https://git.kernel.org/stable/c/f47430fc1f815e87406e2d3b4e476eff1bc7fd9b
https://git.kernel.org/stable/c/0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da
https://git.kernel.org/stable/c/534ebc08df97c47d4c7596f336fa31ecbf91519c
https://git.kernel.org/stable/c/80c73bd1b2b04355d1d0c29be8ccbd25a380905d
https://git.kernel.org/stable/c/4d2b37abda9536808655830d683dc491d31741a8
https://git.kernel.org/stable/c/0a1265a9ab875f92b6a3ffb497404f46cf9d76a3
https://git.kernel.org/stable/c/d289478cfc0bcf81c7914200d6abdcb78bd04ded