CVE-2026-22990

moderate-risk

Published 2026-01-23

In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (12)

Linux Kernel

Affected Vendors

Linux

References (7)

Patch https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea

Patch https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3

Patch https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c

Patch https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b

Patch https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d

Patch https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9

Patch https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 0/34 · Minimal

Exposure 17/34 · Moderate