PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43406 Linux CVE debrief

CVE-2026-43406 is a critical Linux kernel issue in libceph where malformed or spoofed message framing can cause out-of-bounds reads during process_message_header(). The published fix adds an explicit bounds check before decoding the message header, reducing the chance that corrupted control-segment sizing or a frame that only appears to be a message frame will drive unsafe parsing.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distro security teams, and operators using the kernel Ceph client/libceph should prioritize this issue, especially on systems that can receive untrusted or remotely influenced Ceph traffic.

Technical summary

NVD classifies the flaw as CWE-125 (out-of-bounds read) with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H. The issue is described as a parsing bug in libceph’s process_message_header(): if a message frame is corrupted so the control segment is smaller than the message header, or if a different frame is made to resemble a message frame, the function may read beyond bounds. The NVD record lists vendor patches and affected Linux kernel ranges including 5.11 through 5.15.203, 5.16 through 6.1.167, 6.2 through 6.6.130, 6.7 through 6.12.78, 6.13 through 6.18.19, 6.19 through 6.19.9, and early 7.0 release candidates.

Defensive priority

High. The combination of network reachability, no privileges, no user interaction, and potential confidentiality/availability impact makes this a critical patching item for kernel builds that include libceph support.

Recommended defensive actions

  • Review whether your Linux kernel build includes libceph/Ceph client support and whether it is deployed in environments that can process remote Ceph traffic.
  • Upgrade to a kernel release that incorporates the vendor fix or backported stable patch for your branch.
  • Track your vendor’s advisory or kernel stable update stream for the specific backport corresponding to your supported kernel line.
  • If immediate upgrade is not possible, reduce exposure by limiting access to Ceph-related network paths and monitoring for malformed or unexpected message traffic.
  • Use the NVD affected-version ranges to confirm whether a deployed kernel version is within scope before scheduling remediation.

Evidence notes

Timing is based on the supplied CVE publication timestamp of 2026-05-08 and NVD modification timestamp of 2026-05-21. The supplied NVD record marks the vulnerability as analyzed, lists multiple official kernel patch references, and provides affected CPE version ranges. No KEV entry was supplied in the corpus.

Official resources

Published 2026-05-08T15:16:52.137Z; modified 2026-05-21T19:09:31.857Z. No KEV listing was supplied.