CVE-2026-52954 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

libceph: handle rbtree insertion error in decode_choose_args()

A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
contains a CRUSH map. The received CRUSH map may optionally contain
choose_args that get decoded in decode_choose_args(). In this function,
num_choose_arg_maps is read from the message, and a corresponding number
of crush_choose_arg_maps gets decoded afterwards. Each
crush_choose_arg_map has a choose_args_index, which serves as the key
when inserting it into the choose_args rbtree of the decoded crush_map.
If a (potentially corrupted) message contains two crush_choose_arg_maps
with the same index, the assertion in insert_choose_arg_map() triggers a
kernel BUG when trying to insert the second crush_choose_arg_map.

This patch fixes the issue by switching to the non-asserting rbtree
insertion function and rejecting the message if the insertion fails.

[ idryomov: changelog ]

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< c7bf7864e2924fa5508ac270b0e9364bc13d5a6c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f47430fc1f815e87406e2d3b4e476eff1bc7fd9b
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 534ebc08df97c47d4c7596f336fa31ecbf91519c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 80c73bd1b2b04355d1d0c29be8ccbd25a380905d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 4d2b37abda9536808655830d683dc491d31741a8
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 0a1265a9ab875f92b6a3ffb497404f46cf9d76a3
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d289478cfc0bcf81c7914200d6abdcb78bd04ded
`0`	affected	< 5.10.258
`0`	affected	< 5.15.209
`0`	affected	< 6.1.175
`0`	affected	< 6.6.141
`0`	affected	< 6.12.91
`0`	affected	< 6.18.33
`0`	affected	< 7.0.10

Linux

affected

Version	Status	Constraints
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/0a1265a9ab875f92b6a3ffb497404f46cf9d76a3
https://git.kernel.org/stable/c/0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da
https://git.kernel.org/stable/c/4d2b37abda9536808655830d683dc491d31741a8
https://git.kernel.org/stable/c/534ebc08df97c47d4c7596f336fa31ecbf91519c
https://git.kernel.org/stable/c/80c73bd1b2b04355d1d0c29be8ccbd25a380905d
https://git.kernel.org/stable/c/c7bf7864e2924fa5508ac270b0e9364bc13d5a6c
https://git.kernel.org/stable/c/d289478cfc0bcf81c7914200d6abdcb78bd04ded
https://git.kernel.org/stable/c/f47430fc1f815e87406e2d3b4e476eff1bc7fd9b

History

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: libceph: handle rbtree insertion error in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). In this function, num_choose_arg_maps is read from the message, and a corresponding number of crush_choose_arg_maps gets decoded afterwards. Each crush_choose_arg_map has a choose_args_index, which serves as the key when inserting it into the choose_args rbtree of the decoded crush_map. If a (potentially corrupted) message contains two crush_choose_arg_maps with the same index, the assertion in insert_choose_arg_map() triggers a kernel BUG when trying to insert the second crush_choose_arg_map. This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails. [ idryomov: changelog ]
Title		libceph: handle rbtree insertion error in decode_choose_args()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0a1265a9ab875f92b6a3ffb497404f46cf9d76a3 https://git.kernel.org/stable/c/0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da https://git.kernel.org/stable/c/4d2b37abda9536808655830d683dc491d31741a8 https://git.kernel.org/stable/c/534ebc08df97c47d4c7596f336fa31ecbf91519c https://git.kernel.org/stable/c/80c73bd1b2b04355d1d0c29be8ccbd25a380905d https://git.kernel.org/stable/c/c7bf7864e2924fa5508ac270b0e9364bc13d5a6c https://git.kernel.org/stable/c/d289478cfc0bcf81c7914200d6abdcb78bd04ded https://git.kernel.org/stable/c/f47430fc1f815e87406e2d3b4e476eff1bc7fd9b

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:28:36.992Z

Updated: 2026-06-24T16:28:36.992Z

Reserved: 2026-06-09T07:44:35.372Z

Link: CVE-2026-52954

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object