CVE-2026-43405

Published: May 8, 2026

Modified: May 11, 2026

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

In the Linux kernel, the following vulnerability has been resolved: libceph: Use u32 for non-negative values in ceph_monmap_decode() This patch fixes unnecessary implicit conversions that change signedness of blob_len and num_mon in ceph_monmap_decode(). Currently blob_len and num_mon are (signed) int variables. They are used to hold values that are always non-negative and get assigned in ceph_decode_32_safe(), which is meant to assign u32 values. Both variables are subsequently used as unsigned values, and the value of num_mon is further assigned to monmap->num_mon, which is of type u32. Therefore, both variables should be of type u32. This is especially relevant for num_mon. If the value read from the incoming message is very large, it is interpreted as a negative value, and the check for num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to allocate a very large chunk of memory for monmap, which will most likely fail. In this case, an unnecessary attempt to allocate memory is performed, and -ENOMEM is returned instead of -EINVAL.

Vendor	Product	Versions
Linux	Linux	affected `a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c - < ee5588e2bc41acb73f6676c0520420c107cd0140` affected `a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c - < 86f7060cd638d6eb042e8ed780fb83a59ca0dcb3` affected `a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c - < 5f2806684b05bd24d05c091083b8e2517ba8ffac` affected `a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c - < b268984ae88cb0dcd7a8e8263962c748448e26e8` affected `a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c - < ba0a4df8c563536857dcbf7b4dbd0f2a15f57ace` +2 more versions
Linux	Linux	affected `5.11` unaffected `0 - < 5.11` unaffected `5.15.203 - <= 5.15.` unaffected `6.1.167 - <= 6.1.` unaffected `6.6.130 - <= 6.6.*` +4 more versions