Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71116

CVE-2025-71116: Linux Kernel Libceph OOB Vulnerability

CVE-2025-71116 is an out-of-bounds read flaw in the Linux kernel's libceph component that occurs when processing corrupted osdmaps. This post covers the technical details, affected versions, security impact, and mitigation.

Published: January 23, 2026

CVE-2025-71116 Overview

A vulnerability has been identified in the Linux kernel's libceph component, specifically in the decode_pool() function responsible for processing Ceph OSDMap data. The vulnerability allows for out-of-bounds reads when handling maliciously corrupted OSDMaps where the encoded length of the ceph_pg_pool envelope is less than expected for a particular encoding version.

Critical Impact

Attackers with the ability to provide corrupted OSDMaps could trigger out-of-bounds memory reads, potentially leading to information disclosure or denial of service conditions on systems using Ceph storage.

Affected Products

  • Linux Kernel (multiple versions with libceph support)
  • Systems utilizing Ceph distributed storage
  • Environments running Ceph client (libceph) kernel module

Discovery Timeline

  • 2026-01-14 - CVE CVE-2025-71116 published to NVD
  • 2026-01-19 - Last updated in NVD database

Technical Details for CVE-2025-71116

Vulnerability Analysis

The vulnerability exists in the decode_pool() function within the Linux kernel's libceph module. This function is responsible for parsing OSDMap data structures that describe the state and configuration of a Ceph storage cluster. The core issue is insufficient bounds checking during the decoding process.

When processing an OSDMap, the function relies on an encoded length value within the ceph_pg_pool envelope to determine the boundaries of the data structure. However, if this length value is maliciously crafted to be smaller than what is required for the declared encoding version, the function proceeds to read data beyond the legitimate boundaries of the buffer. This occurs because the bounds checking mechanism only validates against the potentially corrupted length value rather than performing explicit validation for each decoded field.

The vulnerability can be exploited in scenarios where an attacker can inject or manipulate OSDMap data that is processed by the kernel's Ceph client. This could occur through various attack vectors including man-in-the-middle attacks on Ceph cluster communication or through compromised Ceph monitor services.

Root Cause

The root cause of this vulnerability is insufficient input validation in the decode_pool() function. The function trusted the encoded length field within the ceph_pg_pool envelope without performing explicit bounds checks for each individual field during the decoding or skipping process. This allowed a mismatch between the declared envelope size and the actual data requirements for the specified encoding version, resulting in out-of-bounds memory access.

Attack Vector

The attack requires the ability to provide corrupted OSDMap data to a system running the affected libceph kernel module. An attacker could exploit this vulnerability by:

  1. Crafting a malicious OSDMap with a ceph_pg_pool envelope containing a length value smaller than required for the encoding version
  2. Delivering this corrupted OSDMap to the target system through Ceph cluster communication channels
  3. Triggering the processing of the malicious OSDMap, causing the kernel to perform out-of-bounds reads

The vulnerability affects systems that parse OSDMap data from potentially untrusted sources. While exploitation requires specific positioning within the network or storage infrastructure, successful exploitation could lead to kernel memory information disclosure or system instability.

Detection Methods for CVE-2025-71116

Indicators of Compromise

  • Unexpected kernel crashes or panics related to Ceph/libceph operations
  • Memory access violations in kernel logs referencing decode_pool() or libceph functions
  • Anomalous OSDMap traffic patterns or malformed Ceph protocol messages
  • Kernel oops or warnings involving the ceph kernel module

Detection Strategies

  • Monitor kernel logs for memory access violations related to libceph or Ceph operations
  • Implement network monitoring to detect malformed or unusually small OSDMap envelopes in Ceph traffic
  • Deploy kernel debugging tools to identify out-of-bounds read attempts in affected kernel modules
  • Use SentinelOne Singularity to detect anomalous kernel behavior indicative of exploitation attempts

Monitoring Recommendations

  • Enable kernel auditing for Ceph-related system calls and module operations
  • Configure alerting for kernel panic events involving libceph components
  • Monitor Ceph monitor services for signs of compromise or unauthorized modification
  • Implement network intrusion detection for suspicious Ceph protocol anomalies

How to Mitigate CVE-2025-71116

Immediate Actions Required

  • Apply the relevant kernel patches from the official Linux kernel stable branches
  • Restrict access to Ceph cluster communication channels to trusted systems only
  • Monitor systems for signs of exploitation while patching is underway
  • Consider temporarily isolating systems with critical Ceph deployments until patches are applied

Patch Information

The Linux kernel maintainers have released patches across multiple stable kernel branches to address this vulnerability. The fix adds explicit bounds checks for each field that is decoded or skipped during OSDMap processing, rather than relying solely on the encoded length value.

Patches are available at the following kernel git commits:

  • Kernel Patch 145d140
  • Kernel Patch 2acb851
  • Kernel Patch 5d0d8c2
  • Kernel Patch 8c73851
  • Kernel Patch c82e39f
  • Kernel Patch d061be4
  • Kernel Patch e927ab1

Workarounds

  • Implement network-level filtering to restrict Ceph protocol traffic to known trusted sources
  • Use firewall rules to limit access to Ceph monitor and OSD communication ports
  • Consider disabling the libceph kernel module if Ceph storage functionality is not required
  • Deploy network segmentation to isolate Ceph infrastructure from untrusted networks
bash
# Example: Restrict Ceph monitor access using iptables
# Allow only trusted IP ranges to communicate with Ceph monitors
iptables -A INPUT -p tcp --dport 6789 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6789 -j DROP

# Verify libceph module status
lsmod | grep ceph

# If not needed, blacklist the module
echo "blacklist ceph" >> /etc/modprobe.d/blacklist-ceph.conf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeOther
  • Vendor/TechCeph
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.03%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Patch 145d140
  • Kernel Patch 2acb851
  • Kernel Patch 5d0d8c2
  • Kernel Patch 8c73851
  • Kernel Patch c82e39f
  • Kernel Patch d061be4
  • Kernel Patch e927ab1
  • Related CVEs
  • CVE-2026-23189: Linux Kernel Privilege Escalation Flaw
  • CVE-2024-48916: Ceph RadosGW Authentication Bypass Flaw
  • CVE-2020-1716: Ceph-ansible Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English