CVE-2026-52956

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential out-of-bounds access in ceph x decrypt()

In ceph x decrypt(), a part of the buffer p is interpreted as a ceph x encrypt header, and the magic field of this struct is accessed. This happens without any guarantee that the buffer is large enough to hold this struct. The function parameter ciphertext len represents the length of the ciphertext to decrypt and is guaranteed to be at most the remaining size of the allocated buffer p. However, this value is not necessarily greater than sizeof(ceph x encrypt header). E.g., a message frame of type FRAME TAG AUTH REPLY MORE, that is just as long to hold the ciphertext at its end with a ciphertext len of 8 or less, can trigger an out-of-bounds memory access when accessing hdr->magic.

This patch fixes the issue by adding a check to ensure that the decrypted plaintext in the buffer is large enough to represent at least the ceph x encrypt header.