CVE-2026-22990
📋 TL;DR
A vulnerability in the Linux kernel's libceph component where a BUG_ON assertion in osdmap_apply_incremental() could be triggered by a maliciously corrupted osdmap. This could cause kernel panics and system crashes on systems using Ceph storage. Affects Linux systems with Ceph client functionality enabled.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data unavailability in Ceph storage environments.
Likely Case
System crash requiring reboot when processing malicious or corrupted Ceph osdmap data.
If Mitigated
Minimal impact as the patch replaces BUG_ON with proper error handling, preventing kernel panic.
🎯 Exploit Status
Exploitation requires ability to inject malicious osdmap data into Ceph cluster, which typically requires some level of access to the storage infrastructure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 4b106fbb1c7b841cd402abd83eb2447164c799ea, 6348d70af847b79805374fe628d3809a63fd7df3, 6afd2a4213524bc742b709599a3663aeaf77193c, 6c6cec3db3b418c4fdf815731bc39e46dff75e1b, 9aa0b0c14cefece078286d78b97d4c09685e372d
Vendor Advisory: https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable Ceph client functionality
linuxIf Ceph storage is not required, disable Ceph client support in kernel configuration.
# Recompile kernel without CEPH_FS and CEPH_LIB options
🧯 If You Can't Patch
- Restrict access to Ceph storage infrastructure to trusted entities only
- Implement network segmentation to isolate Ceph storage traffic
🔍 How to Verify
Check if Vulnerable:
Check if system uses Ceph and examine kernel version against patched commits. Run: uname -r and check kernel source for vulnerable code.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated and contains the patched commits. Check dmesg for any Ceph-related kernel panic messages.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/messages or dmesg
- Ceph client crash logs
- System reboot events without clear cause
Network Indicators:
- Unusual Ceph protocol traffic patterns
- Malformed osdmap data transmission
SIEM Query:
source="kernel" AND "panic" AND "ceph" OR source="kernel" AND "BUG" AND "osdmap_apply_incremental"🔗 References
- https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea
- https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3
- https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c
- https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b
- https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d
- https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9
- https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b
