| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026012351-CVE-2026-22990-a62e@gregkh> Date: Fri, 23 Jan 2026 16:25:01 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2026-22990: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. The Linux kernel CVE team has assigned CVE-2026-22990 to this issue. Affected and fixed versions =========================== Fixed in 5.10.248 with commit 9aa0b0c14cefece078286d78b97d4c09685e372d Fixed in 5.15.198 with commit 4b106fbb1c7b841cd402abd83eb2447164c799ea Fixed in 6.1.161 with commit 6afd2a4213524bc742b709599a3663aeaf77193c Fixed in 6.6.121 with commit d3613770e2677683e65d062da5e31f48c409abe9 Fixed in 6.12.66 with commit 6c6cec3db3b418c4fdf815731bc39e46dff75e1b Fixed in 6.18.6 with commit 6348d70af847b79805374fe628d3809a63fd7df3 Fixed in 6.19-rc5 with commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-22990 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ceph/osdmap.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9 https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3 https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b
Powered by blists - more mailing lists