CVE-2026-52956

HIGH

libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in __ceph_x_decrypt() In __ceph_x_decrypt(), a part of the buffer p is interpreted as a ceph_x_encrypt_header, and the magic field of this struct is accessed. This happens without any guarantee that the buffer is large enough to hold this struct. The function parameter ciphertext_len represents the length of the ciphertext to decrypt and is guaranteed to be at most the remaining size of the allocated buffer p. However, this value is not necessarily greater than sizeof(ceph_x_encrypt_header). E.g., a message frame of type FRAME_TAG_AUTH_REPLY_MORE, that is just as long to hold the ciphertext at its end with a ciphertext_len of 8 or less, can trigger an out-of-bounds memory access when accessing hdr->magic. This patch fixes the issue by adding a check to ensure that the decrypted plaintext in the buffer is large enough to represent at least the ceph_x_encrypt_header.

Scores

CVSS v3 7.5
EPSS 0.0036
EPSS Percentile 28.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

Status published
Products (12)
linux/Kernel 4.10.0 - 7.0.10linux
Linux/Linux < 4.10
Linux/Linux < 7.0.10
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 821365487aa58d06bda65c676ba215d506ba9768
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - c7e9b53aebe401970f1b5f5a01b4e021b18e8bb2
Linux/Linux 2982b9c92a66604ffb9fb2db54cf735133d1ef56
Linux/Linux 4.10
Linux/Linux 4.9.6 - 4.10
Linux/Linux 7.0.10 - 7.0.*
Linux/Linux 7.1
... and 2 more
Published Jun 24, 2026
Tracked Since Jun 24, 2026