Cyber Resilience

CVE-2026-22990

High

Published: 23 January 2026

Published
23 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22990 is a high-severity Reachable Assertion (CWE-617) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-22990 is a vulnerability in the Linux kernel's libceph module, specifically within the osdmap_apply_incremental() function. The issue stems from an overzealous BUG_ON check that triggers a kernel panic if an osdmap—potentially maliciously corrupted such that its incremental epoch differs from the expected value—is processed. This affects Linux kernel versions with Ceph filesystem support enabled, as libceph handles OSD (object storage daemon) map updates from Ceph clusters.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending a crafted, corrupted incremental osdmap with a mismatched epoch to a vulnerable system acting as a Ceph client, the attacker triggers the BUG_ON, resulting in a denial-of-service condition through kernel crash or panic.

The provided kernel stable commit references detail the fix: replacing the BUG_ON with logic to simply declare the incremental osdmap invalid, preventing the crash while maintaining functionality for valid inputs. Security practitioners should apply these patches—such as commits 4b106fbb1c7b, 6348d70af847, 6afd2a421352, 6c6cec3db3b418c, and 9aa0b0c14cef—from the Linux kernel stable trees to mitigate the issue.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG.…

more

Instead, just declare the incremental osdmap to be invalid.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE directly enables remote unauthenticated kernel panic (DoS) via crafted osdmap input to libceph, matching Endpoint DoS via application/system exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31739Same product: Linux Linux Kernel
CVE-2026-31398Same product: Linux Linux Kernel
CVE-2026-23388Same product: Linux Linux Kernel
CVE-2026-23242Same product: Linux Linux Kernel
CVE-2026-22991Same product: Linux Linux Kernel
CVE-2025-21717Same product: Linux Linux Kernel
CVE-2026-23459Same product: Linux Linux Kernel
CVE-2026-31640Same product: Linux Linux Kernel
CVE-2024-56772Same product: Linux Linux Kernel
CVE-2026-23095Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.34, 6.19 · 2.6.34.1 — 5.10.248 · 5.11 — 5.15.198 · 5.16 — 6.1.161

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

The vulnerability arises from inadequate error handling via BUG_ON in osdmap_apply_incremental(), causing kernel panic on corrupted osdmap input; SI-11 mandates error handling that does not compromise system availability.

prevent

SI-10 requires validation of network inputs like the incremental osdmap epoch at the libceph module boundary to reject malformed data before processing.

prevent

SI-2 ensures timely identification, reporting, and patching of kernel flaws such as CVE-2026-22990 via stable commits that replace BUG_ON with osdmap invalidation.

References