Cyber Posture

CVE-2026-22990

High

Published: 23 January 2026

Published
23 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 3.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22990 is a high-severity Reachable Assertion (CWE-617) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

CVE directly enables remote unauthenticated kernel panic (DoS) via crafted osdmap input to libceph, matching Endpoint DoS via application/system exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG.…

more

Instead, just declare the incremental osdmap to be invalid.

Deeper analysisAI

CVE-2026-22990 is a vulnerability in the Linux kernel's libceph module, specifically within the osdmap_apply_incremental() function. The issue stems from an overzealous BUG_ON check that triggers a kernel panic if an osdmap—potentially maliciously corrupted such that its incremental epoch differs from the expected value—is processed. This affects Linux kernel versions with Ceph filesystem support enabled, as libceph handles OSD (object storage daemon) map updates from Ceph clusters.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending a crafted, corrupted incremental osdmap with a mismatched epoch to a vulnerable system acting as a Ceph client, the attacker triggers the BUG_ON, resulting in a denial-of-service condition through kernel crash or panic.

The provided kernel stable commit references detail the fix: replacing the BUG_ON with logic to simply declare the incremental osdmap invalid, preventing the crash while maintaining functionality for valid inputs. Security practitioners should apply these patches—such as commits 4b106fbb1c7b, 6348d70af847, 6afd2a421352, 6c6cec3db3b418c, and 9aa0b0c14cef—from the Linux kernel stable trees to mitigate the issue.

Details

CWE(s)
CWE-617

Affected Products

linux
linux kernel
2.6.34, 6.19 · 2.6.34.1 — 5.10.248 · 5.11 — 5.15.198 · 5.16 — 6.1.161

CVEs Like This One

CVE-2026-31739Same product: Linux Linux Kernel
CVE-2026-23440Same product: Linux Linux Kernel
CVE-2026-31467Same product: Linux Linux Kernel
CVE-2026-31626Same product: Linux Linux Kernel
CVE-2026-31638Same product: Linux Linux Kernel
CVE-2025-21701Same product: Linux Linux Kernel
CVE-2026-23351Same product: Linux Linux Kernel
CVE-2026-31600Same product: Linux Linux Kernel
CVE-2026-31538Same product: Linux Linux Kernel
CVE-2026-22992Same product: Linux Linux Kernel

References