Impact
The vulnerability lies in the Linux kernel’s libceph module. A malicious or compromised CEPH OSD_MAP message can contain duplicate CRUSH choose‑args indices. When the libceph decode_choose_args() routine attempts to insert a second entry with the same key, an assertion inside insert_choose_arg_map() fires a BUG, causing a kernel panic. This results in a sudden crash of the affected system and a loss of availability, but does not provide an attacker with remote code execution or other privileges. The weakness can be classified under CWE‑617 for unchecked return values during data structure insertion.
Affected Systems
All Linux kernels that compile the libceph code and are used in Ceph storage clusters are potentially affected, regardless of version, until the patch that replaces the asserting rbtree insertion with a non‑asserting variant is applied. The affectation applies to any distribution that ships the upstream kernel without backporting this fix, including bare‑metal or container hosts running Ceph clients or servers.
Risk and Exploitability
The CVSS score of 7.5 reflects a high severity denial‑of‑service impact. The EPSS score of < 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely involve sending a crafted CEPH OSD_MAP packet across the network to a node that accepts Ceph traffic, which may be over an untrusted or partially trusted environment. As such, the risk remains moderate, and applying the vendor patch is strongly recommended.
OpenCVE Enrichment
Debian DLA