{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-52956","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.373Z","datePublished":"2026-06-24T16:28:38.414Z","dateUpdated":"2026-07-01T12:08:01.634Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-07-01T12:08:01.634Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential out-of-bounds access in __ceph_x_decrypt()\n\nIn __ceph_x_decrypt(), a part of the buffer p is interpreted as a\nceph_x_encrypt_header, and the magic field of this struct is accessed.\nThis happens without any guarantee that the buffer is large enough to\nhold this struct. The function parameter ciphertext_len represents the\nlength of the ciphertext to decrypt and is guaranteed to be at most the\nremaining size of the allocated buffer p. However, this value is not\nnecessarily greater than sizeof(ceph_x_encrypt_header). E.g., a message\nframe of type FRAME_TAG_AUTH_REPLY_MORE, that is just as long to hold\nthe ciphertext at its end with a ciphertext_len of 8 or less, can\ntrigger an out-of-bounds memory access when accessing hdr->magic.\n\nThis patch fixes the issue by adding a check to ensure that the\ndecrypted plaintext in the buffer is large enough to represent at least\nthe ceph_x_encrypt_header."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ceph/auth_x.c"],"versions":[{"version":"e15fd0a11db00fc7f470a9fc804657ec3f6d04a5","lessThan":"c7e9b53aebe401970f1b5f5a01b4e021b18e8bb2","status":"affected","versionType":"git"},{"version":"e15fd0a11db00fc7f470a9fc804657ec3f6d04a5","lessThan":"821365487aa58d06bda65c676ba215d506ba9768","status":"affected","versionType":"git"},{"version":"2982b9c92a66604ffb9fb2db54cf735133d1ef56","status":"affected","versionType":"git"},{"version":"4.9.6","lessThan":"4.10","status":"affected","versionType":"semver"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ceph/auth_x.c"],"versions":[{"version":"4.10","status":"affected"},{"version":"0","lessThan":"4.10","status":"unaffected","versionType":"semver"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"7.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"7.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c7e9b53aebe401970f1b5f5a01b4e021b18e8bb2"},{"url":"https://git.kernel.org/stable/c/821365487aa58d06bda65c676ba215d506ba9768"}],"title":"libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()","x_generator":{"engine":"bippy-1.2.0"}}}}