CVE-2026-22990 in Linux
Summary
by MITRE • 01/23/2026
In the Linux kernel, the following vulnerability has been resolved:
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/21/2026
The vulnerability identified as CVE-2026-22990 resides within the Linux kernel's ceph storage subsystem, specifically in the libceph library component. This issue manifests in the osdmap_apply_incremental() function where an overly aggressive BUG_ON condition has been replaced with a more graceful error handling mechanism. The ceph storage system relies heavily on osdmaps to maintain cluster state information, with each osdmap containing epoch numbers that track the sequence of cluster state changes. When processing incremental osdmap updates, the system must validate that the epoch numbers align correctly with the expected sequence to maintain data consistency and cluster integrity.
The technical flaw stems from an excessive error handling approach that causes the kernel to panic when encountering osdmap corruption where epoch numbers do not match expected values. This BUG_ON condition was designed to catch what was considered an impossible scenario, but in practice, malicious actors or corrupted data can trigger this condition. The replacement involves changing the behavior to simply invalidate the incremental osdmap rather than causing a system-wide kernel panic. This modification aligns with the principle of graceful degradation, where the system handles unexpected conditions without compromising overall stability.
The operational impact of this vulnerability is significant for ceph storage clusters that handle large volumes of data and require high availability. When a maliciously crafted or corrupted osdmap triggers the original BUG_ON condition, the entire kernel process crashes, potentially leading to cluster outages and data access disruptions. The system becomes vulnerable to denial-of-service attacks that exploit this specific code path. The replacement approach ensures that corrupted incremental updates are simply rejected rather than causing complete system failure, maintaining cluster functionality while preventing further processing of invalid data.
This vulnerability relates to CWE-704, which covers incorrect type conversion or cast, and CWE-697, which addresses insufficient comparison of data. The fix addresses a specific case where the system's error handling mechanism becomes overly aggressive, leading to unintended system crashes. From an ATT&CK perspective, this vulnerability could be leveraged as part of a denial-of-service attack pattern where an adversary attempts to destabilize the storage infrastructure. The mitigation strategy involves implementing proper error handling that gracefully rejects malformed data rather than causing system-wide failures. This approach is consistent with the principle of least privilege and robust error handling that prevents cascading failures in distributed storage systems. The fix ensures that the ceph storage subsystem can maintain operational continuity even when encountering corrupted data, which is essential for enterprise storage environments where uptime and data availability are critical requirements.