CVE-2025-71116

CVE-2025-71116 is a vulnerability in the Linux kernel's libceph component, specifically in the decode_pool() function used for parsing Ceph OSD maps. If an OSD map is corrupted—such as through malicious alteration—so that the encoded length of the ceph_pg_pool envelope is shorter than expected for a given encoding version, the function can perform out-of-bounds reads. This stems from relying solely on the corrupted length value for bounds checking, without explicit verification of individual fields. The issue is classified under CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

A local attacker with low privileges can exploit this vulnerability by providing a maliciously corrupted OSD map to a system using libceph, such as one interacting with a Ceph storage cluster. Successful exploitation triggers out-of-bounds memory reads, potentially leading to high-impact confidentiality violations through kernel memory disclosure and high-impact availability disruptions via crashes or denial of service. No user interaction is required, and the attack is straightforward given low complexity and privileges.

Mitigation involves applying the upstream kernel patches referenced in the stable git commits, including 145d140abda80e33331c5781d6603014fa75d258, 2acb8517429ab42146c6c0ac1daed1f03d2fd125, 5d0d8c292531fe356c4e94dcfdf7d7212aca9957, 8c738512714e8c0aa18f8a10c072d5b01c83db39, and c82e39ff67353a5a6cbc07b786b8690bd2c45aaa. These patches enhance decode_pool() with explicit bounds checks for each decoded or skipped field, making it resilient to such corruptions. Security practitioners should update affected Linux kernels promptly, particularly those using Ceph integration.