Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71116

CVE-2025-71116: Linux Kernel Buffer Overflow Vulnerability

CVE-2025-71116 is a buffer overflow vulnerability in the Linux Kernel's libceph component that allows out-of-bounds reads via corrupted osdmaps. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-71116 Overview

CVE-2025-71116 is an out-of-bounds read vulnerability in the Linux kernel's libceph subsystem. The flaw resides in the decode_pool() function, which parses ceph_pg_pool envelope structures from OSD maps. When the encoded length field is smaller than what the encoding version requires, the function reads memory beyond the intended buffer. The only bounds check relied on that attacker-controlled length value, allowing crafted or corrupted OSD maps to trigger out-of-bounds reads in kernel space. The vulnerability is tracked under CWE-125: Out-of-bounds Read and affects the Linux kernel from version 3.9 through 6.19-rc8.

Critical Impact

A malicious or corrupted Ceph OSD map can trigger kernel-space out-of-bounds reads, leading to information disclosure or denial of service on hosts using the Ceph kernel client.

Affected Products

  • Linux Kernel 3.9 and later stable branches
  • Linux Kernel 6.19-rc1 through 6.19-rc8
  • Systems using the in-kernel Ceph client (libceph, ceph, rbd)

Discovery Timeline

  • 2026-01-14 - CVE-2025-71116 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-71116

Vulnerability Analysis

The libceph kernel module decodes OSD maps received from Ceph monitors. The decode_pool() function processes ceph_pg_pool structures, each prefixed by an envelope that declares the encoded length and version. The decoder validated subsequent reads only against this declared length. When the length is smaller than required by the encoding version, individual field reads still proceed without per-field bounds verification. This permits the decoder to step past the legitimate pool envelope into adjacent memory.

An attacker who can deliver a crafted OSD map to a kernel Ceph client triggers reads of unintended kernel memory. The impact includes kernel information leakage and potential system crashes when invalid data drives subsequent allocation or pointer logic. Local exploitation is required, with low privileges and no user interaction.

Root Cause

The root cause is reliance on a single envelope length check rather than explicit bounds validation for each decoded field. The remediation, applied across stable branches in commits such as 145d140, 2acb851, 5d0d8c2, 8c73851, c82e39f, d061be4, and e927ab1, adds explicit bounds checks for every field that decode_pool() either reads or skips.

Attack Vector

Exploitation requires the ability to influence OSD map contents reaching a vulnerable kernel client. This is feasible when an attacker controls or compromises a Ceph monitor, performs a man-in-the-middle attack on unauthenticated cluster traffic, or supplies a malicious cluster configuration to a local user with mount privileges. The vulnerability does not provide write primitives directly; it exposes confidentiality of kernel memory and availability of the host.

No public proof-of-concept code is available. Refer to the upstream patches linked in the Patch Information section for the exact decoder changes.

Detection Methods for CVE-2025-71116

Indicators of Compromise

  • Kernel oops or panic messages referencing decode_pool, ceph_decode_pg_pool, or osdmap_decode in dmesg or /var/log/kern.log
  • Unexpected KASAN: out-of-bounds reports tied to the libceph module on kernels with KASAN enabled
  • Repeated Ceph client reconnects or mount failures correlated with malformed OSD map deliveries

Detection Strategies

  • Inventory hosts loading the libceph, ceph, or rbd kernel modules and cross-reference against patched kernel versions
  • Monitor kernel log streams for crash signatures originating in OSD map decoding paths
  • Track Ceph monitor authentication state to identify clients connecting without cephx mutual authentication

Monitoring Recommendations

  • Forward kernel ring buffer events to a central log platform and alert on libceph fault signatures
  • Audit Ceph cluster network paths for unencrypted or unauthenticated monitor traffic
  • Establish baselines for Ceph client mount activity and flag unexpected mounts from untrusted configurations

How to Mitigate CVE-2025-71116

Immediate Actions Required

  • Apply the latest stable Linux kernel update from your distribution that includes the decode_pool() bounds-check fix
  • Restrict Ceph cluster access to authenticated peers using cephx and enable ms_client_mode=secure for in-transit protection
  • Limit which local users can issue mount.ceph or map RBD devices, since exploitation requires local access to the Ceph client surface

Patch Information

The fix adds explicit bounds checks for each decoded or skipped field in decode_pool(). Upstream commits are available at Kernel Patch 145d140, Kernel Patch 2acb851, Kernel Patch 5d0d8c2, Kernel Patch 8c73851, Kernel Patch c82e39f, Kernel Patch d061be4, and Kernel Patch e927ab1.

Workarounds

  • Unload the ceph and rbd kernel modules on hosts that do not require kernel-mode Ceph access and blacklist them via modprobe
  • Use userspace Ceph clients such as librbd with QEMU or the FUSE-based ceph-fuse instead of the kernel client where feasible
  • Enforce network segmentation so only trusted monitor and OSD endpoints can reach Ceph clients
bash
# Configuration example: blacklist Ceph kernel modules where not required
echo 'blacklist ceph' | sudo tee /etc/modprobe.d/blacklist-ceph.conf
echo 'blacklist rbd'  | sudo tee -a /etc/modprobe.d/blacklist-ceph.conf
echo 'blacklist libceph' | sudo tee -a /etc/modprobe.d/blacklist-ceph.conf
sudo update-initramfs -u

# Verify the running kernel after applying the distribution patch
uname -r

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.