Impact
The vulnerability exists in the Linux kernel’s Ceph decryption routine __ceph_x_decrypt(). While decrypting a message, the routine interprets part of the buffer as a ceph_x_encrypt_header and reads its magic field without verifying that the buffer is large enough to contain this header. The missing size check allows an out-of-bounds read if the ciphertext length is shorter than the header structure. This read can expose kernel memory contents and, if the read value is used later in kernel logic, could lead to a kernel panic or denial of service. No evidence in the description indicates privilege escalation.
Affected Systems
Any Linux kernel that loads the libceph module is potentially affected. The available information does not specify affected kernel releases or version ranges; therefore, all builds that include libceph and have not yet received the updated patch are in scope.
Risk and Exploitability
The CVSS base score is 7.5, reflecting high severity. The EPSS score is less than 1%, indicating a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need the ability to inject or manipulate Ceph traffic to trigger the decryption routine with a specially crafted short ciphertext, thereby causing the out‑of‑bounds read. No public exploit is cited in the provided references, so the threat remains theoretical at present.
OpenCVE Enrichment