HIGH Published 2026-01-14

ceph OSDMap Decode OOB

CVE-2025-71116

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI7.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An attacker who can provide malformed Ceph osdmap data to the kernel could trigger out-of-bounds memory reads, potentially leading to information disclosure or system crashes. This primarily affects systems using Ceph storage clusters where the osdmap data might come from untrusted sources.

Affectednet/ceph/osdmap.c

Vulnerability analysis

Root Cause: The decode_pool() function in libceph's osdmap parsing code relied solely on a length value from the encoded data to perform bounds checking. If this length value was maliciously corrupted to be smaller than expected, the function would still attempt to decode fields beyond the actual buffer boundaries, leading to out-of-bounds reads.

Attack Surface: This vulnerability affects systems using Ceph distributed storage that process osdmap data from potentially untrusted sources. The attack requires the ability to provide malformed osdmap data to the kernel's Ceph client, which could occur through network communication with a compromised Ceph cluster or through local privilege escalation if an attacker can influence osdmap processing.

Fix Mechanism: The patch adds explicit bounds checks using ceph_decode_*_safe() and ceph_decode_skip_*() macros for each field that is decoded or skipped. These macros verify that sufficient data remains in the buffer before attempting to read, preventing out-of-bounds access even when the encoded length is corrupted.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.248	`d061be4c8040`
5.15	5.15.198	`145d140abda8`
6.1	6.1.160	`c82e39ff6735`
6.12	6.12.64	`5d0d8c292531`
6.18	6.18.3	`2acb8517429a`
6.6	6.6.120	`e927ab132b87`
mainline	6.19	`8c738512714e`