Impact
A CEPH_MSG_OSD_MAP message can contain a crush map with at least one bucket whose two algorithm fields disagree. The first field determines the memory allocation size, while the second is used later in processing. If the values differ, crush_decode() may read beyond the allocated buffer, corrupting kernel.
Affected Systems
All Linux kernel builds that bundle libceph and have not applied the patch are in any kernel version compiled with libceph support prior to the inclusion of the fix referenced by this CVE, regardless of distribution.
Risk and Exploitability
The CVSS score of 9.8 reflects the critical impact of a kernel memory corruption. The EPSS score of less than 1% indicates a very low but nonzero chance of exploitation. An attacker could engineer a malicious CEPH_MSG_OSD_MAP from an untrusted Ceph OSD node to trigger the out-of-bounds read, potentially leading to privilege escalation or denial of service. No public exploit has been reported, but the vulnerability warrants prompt action.
OpenCVE Enrichment
Debian DLA