{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40362", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.187Z", "datePublished": "2025-12-16T13:40:02.467Z", "dateUpdated": "2025-12-16T13:40:02.467Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-16T13:40:02.467Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix multifs mds auth caps issue\n\nThe mds auth caps check should also validate the\nfsname along with the associated caps. Not doing\nso would result in applying the mds auth caps of\none fs on to the other fs in a multifs ceph cluster.\nThe bug causes multiple issues w.r.t user\nauthentication, following is one such example.\n\nSteps to Reproduce (on vstart cluster):\n1. Create two file systems in a cluster, say 'fsname1' and 'fsname2'\n2. Authorize read only permission to the user 'client.usr' on fs 'fsname1'\n $ceph fs authorize fsname1 client.usr / r\n3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2'\n $ceph fs authorize fsname2 client.usr / rw\n4. Update the keyring\n $ceph auth get client.usr >> ./keyring\n\nWith above permssions for the user 'client.usr', following is the\nexpectation.\n a. The 'client.usr' should be able to only read the contents\n and not allowed to create or delete files on file system 'fsname1'.\n b. The 'client.usr' should be able to read/write on file system 'fsname2'.\n\nBut, with this bug, the 'client.usr' is allowed to read/write on file\nsystem 'fsname1'. See below.\n\n5. Mount the file system 'fsname1' with the user 'client.usr'\n $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/\n6. Try creating a file on file system 'fsname1' with user 'client.usr'. This\n should fail but passes with this bug.\n $touch /kmnt_fsname1_usr/file1\n7. Mount the file system 'fsname1' with the user 'client.admin' and create a\n file.\n $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin\n $echo \"data\" > /kmnt_fsname1_admin/admin_file1\n8. Try removing an existing file on file system 'fsname1' with the user\n 'client.usr'. This shoudn't succeed but succeeds with the bug.\n $rm -f /kmnt_fsname1_usr/admin_file1\n\nFor more information, please take a look at the corresponding mds/fuse patch\nand tests added by looking into the tracker mentioned below.\n\nv2: Fix a possible null dereference in doutc\nv3: Don't store fsname from mdsmap, validate against\n ceph_mount_options's fsname and use it\nv4: Code refactor, better warning message and\n fix possible compiler warning\n\n[ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ceph/mds_client.c", "fs/ceph/mdsmap.c", "fs/ceph/super.c", "fs/ceph/super.h"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "07640d34a781bb2e39020a39137073c03c4aa932", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "22c73d52a6d05c5a2053385c0d6cd9984732799d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ceph/mds_client.c", "fs/ceph/mdsmap.c", "fs/ceph/super.c", "fs/ceph/super.h"], "versions": [{"version": "6.12.58", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.8", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.58"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.17.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/07640d34a781bb2e39020a39137073c03c4aa932"}, {"url": "https://git.kernel.org/stable/c/ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523"}, {"url": "https://git.kernel.org/stable/c/22c73d52a6d05c5a2053385c0d6cd9984732799d"}], "title": "ceph: fix multifs mds auth caps issue", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix multifs mds auth caps issue\n\nThe mds auth caps check should also validate the\nfsname along with the associated caps. Not doing\nso would result in applying the mds auth caps of\none fs on to the other fs in a multifs ceph cluster.\nThe bug causes multiple issues w.r.t user\nauthentication, following is one such example.\n\nSteps to Reproduce (on vstart cluster):\n1. Create two file systems in a cluster, say 'fsname1' and 'fsname2'\n2. Authorize read only permission to the user 'client.usr' on fs 'fsname1'\n $ceph fs authorize fsname1 client.usr / r\n3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2'\n $ceph fs authorize fsname2 client.usr / rw\n4. Update the keyring\n $ceph auth get client.usr >> ./keyring\n\nWith above permssions for the user 'client.usr', following is the\nexpectation.\n a. The 'client.usr' should be able to only read the contents\n and not allowed to create or delete files on file system 'fsname1'.\n b. The 'client.usr' should be able to read/write on file system 'fsname2'.\n\nBut, with this bug, the 'client.usr' is allowed to read/write on file\nsystem 'fsname1'. See below.\n\n5. Mount the file system 'fsname1' with the user 'client.usr'\n $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/\n6. Try creating a file on file system 'fsname1' with user 'client.usr'. This\n should fail but passes with this bug.\n $touch /kmnt_fsname1_usr/file1\n7. Mount the file system 'fsname1' with the user 'client.admin' and create a\n file.\n $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin\n $echo \"data\" > /kmnt_fsname1_admin/admin_file1\n8. Try removing an existing file on file system 'fsname1' with the user\n 'client.usr'. This shoudn't succeed but succeeds with the bug.\n $rm -f /kmnt_fsname1_usr/admin_file1\n\nFor more information, please take a look at the corresponding mds/fuse patch\nand tests added by looking into the tracker mentioned below.\n\nv2: Fix a possible null dereference in doutc\nv3: Don't store fsname from mdsmap, validate against\n ceph_mount_options's fsname and use it\nv4: Code refactor, better warning message and\n fix possible compiler warning\n\n[ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]"}], "id": "CVE-2025-40362", "lastModified": "2025-12-16T14:15:48.217", "metrics": {}, "published": "2025-12-16T14:15:48.217", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/07640d34a781bb2e39020a39137073c03c4aa932"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/22c73d52a6d05c5a2053385c0d6cd9984732799d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}