PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43405 Linux CVE debrief

CVE-2026-43405 is a Linux kernel libceph parsing bug in ceph_monmap_decode(). The issue is not a classic code-execution flaw; it is a validation and type-handling mistake that can turn a large incoming value into a negative signed int, bypass the num_mon > CEPH_MAX_MON check, and drive an attempted oversized allocation for the monmap structure. NVD rates the issue as high severity because it is remotely reachable and affects availability.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that use the kernel Ceph client/libceph paths on affected kernel releases should prioritize this CVE.

Technical summary

The kernel function ceph_monmap_decode() used signed int variables for blob_len and num_mon even though the decoded values are non-negative u32 inputs. NVD states that a very large incoming num_mon value can be interpreted as negative, allowing the num_mon > CEPH_MAX_MON validation to fail open. The result is an attempted allocation of an excessively large monmap, which will likely fail and return -ENOMEM instead of the expected -EINVAL. NVD classifies the weakness as CWE-908.

Defensive priority

High for any environment running affected Linux kernel branches with Ceph/libceph enabled. The fix is a small parser/type correction, but the exposure is remote and the official severity is high.

Recommended defensive actions

  • Apply the stable kernel updates or patches linked in the official NVD references for the affected branches.
  • Confirm whether your fleet uses the kernel Ceph/libceph code path; if not, still patch according to your normal kernel maintenance policy.
  • Prioritize remediation on systems that may receive untrusted or less-trusted Ceph-related network traffic.
  • Use the affected-version ranges from NVD to map exposure across supported branches before scheduling maintenance.

Evidence notes

CVE-2026-43405 was published in the official record on 2026-05-08 and last modified on 2026-05-21. The NVD record lists CVSS 3.1 7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and CWE-908. The NVD CPE criteria mark Linux kernel ranges starting at 5.11, 5.16, 6.2, 6.7, 6.13, 6.19, and 7.0 rc1-rc3 as vulnerable up to the specified fixed versions. The supplied description says the bug is caused by signedness changes in blob_len and num_mon during ceph_monmap_decode(), which can let a very large num_mon evade the max-mon check and trigger an unnecessary large allocation attempt.

Official resources

Official CVE/NVD publication date: 2026-05-08. Official record last modified: 2026-05-21. This debrief is based only on the supplied CVE/NVD corpus and the linked official kernel patch references.