{"id":"CVE-2026-52954","summary":"libceph: handle rbtree insertion error in decode_choose_args()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: handle rbtree insertion error in decode_choose_args()\n\nA message of type CEPH_MSG_OSD_MAP contains an OSD map that itself\ncontains a CRUSH map. The received CRUSH map may optionally contain\nchoose_args that get decoded in decode_choose_args(). In this function,\nnum_choose_arg_maps is read from the message, and a corresponding number\nof crush_choose_arg_maps gets decoded afterwards. Each\ncrush_choose_arg_map has a choose_args_index, which serves as the key\nwhen inserting it into the choose_args rbtree of the decoded crush_map.\nIf a (potentially corrupted) message contains two crush_choose_arg_maps\nwith the same index, the assertion in insert_choose_arg_map() triggers a\nkernel BUG when trying to insert the second crush_choose_arg_map.\n\nThis patch fixes the issue by switching to the non-asserting rbtree\ninsertion function and rejecting the message if the insertion fails.\n\n[ idryomov: changelog ]","modified":"2026-07-16T03:30:48.075818525Z","published":"2026-06-24T16:28:36.992Z","related":["SUSE-SU-2026:22521-1","SUSE-SU-2026:22522-1","SUSE-SU-2026:2799-1","SUSE-SU-2026:2800-1","SUSE-SU-2026:2914-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52954.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0a1265a9ab875f92b6a3ffb497404f46cf9d76a3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4d2b37abda9536808655830d683dc491d31741a8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/534ebc08df97c47d4c7596f336fa31ecbf91519c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/80c73bd1b2b04355d1d0c29be8ccbd25a380905d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c7bf7864e2924fa5508ac270b0e9364bc13d5a6c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d289478cfc0bcf81c7914200d6abdcb78bd04ded"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f47430fc1f815e87406e2d3b4e476eff1bc7fd9b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52954.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52954"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5cf9c4a9959b6273675310d14a834ef14fbca37c"},{"fixed":"c7bf7864e2924fa5508ac270b0e9364bc13d5a6c"},{"fixed":"f47430fc1f815e87406e2d3b4e476eff1bc7fd9b"},{"fixed":"0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da"},{"fixed":"534ebc08df97c47d4c7596f336fa31ecbf91519c"},{"fixed":"80c73bd1b2b04355d1d0c29be8ccbd25a380905d"},{"fixed":"4d2b37abda9536808655830d683dc491d31741a8"},{"fixed":"0a1265a9ab875f92b6a3ffb497404f46cf9d76a3"},{"fixed":"d289478cfc0bcf81c7914200d6abdcb78bd04ded"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52954.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.13.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.141"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.91"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.33"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52954.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}