CRITICAL
libceph MessageHeader OOB
CVE-2026-43406
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header(). Perform an explicit bounds check before decoding the message header.
02KernelScan AI Analysis
Risk summary
Remote attackers can trigger out-of-bounds memory reads in the Ceph distributed storage client by sending malformed message frames. This can lead to information disclosure from kernel memory without requiring authentication or privileges.
Vulnerability analysis
The vulnerability occurs in process_message_header() where the code directly casts a pointer to struct ceph_msg_header2 without validating that sufficient bytes are available in the buffer. A malicious Ceph server or network attacker can craft message frames with corrupted control segment lengths that are smaller than the expected header size, causing the kernel to read beyond allocated memory boundaries. The fix adds an explicit bounds check using ceph_decode_need() before accessing the header structure, ensuring the buffer contains at least sizeof(*hdr2) bytes before proceeding with header processing.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.203 | 76ccf21a12c5 |
| 6.1 | 6.1.167 | 75582aaa580c |
| 6.12 | 6.12.78 | dbd857a9e1e3 |
| 6.18 | 6.18.19 | 69fe5af33fa3 |
| 6.19 | 6.19.9 | 035867ae6f18 |
| 6.6 | 6.6.130 | 50156622eb08 |
| mainline | 7.0 | 69fb5d91bba4 |