Impact
A boundary check bug in the Linux kernel’s libceph osdmap_decode function can cause an out‑of‑bounds read or write when decoding osd_state and osd_weight data. The flaw arises because the ceph_decode_need() check only verifies a single element of the osd_weight array instead of accounting for the entire map of maximum OSD entries, allowing memory corruption or data leakage if an incoming message reports a max_osd larger than the actual data size.
Affected Systems
All Linux kernel installations that include the libceph module are potentially affected; the CVE does not specify a version range, so any kernel before the patch that introduced the corrected ceph_decode_need() check remains vulnerable.
Risk and Exploitability
The likely attack vector is an attacker who can send a malformed Ceph OSD map to the kernel, such as through Ceph network traffic or a local client with Ceph protocol access. Based on the description, exploitation would read or overwrite kernel memory, potentially leading to a crash or elevation of privilege; however, the exploit requires crafting the message and targeting systems that receive Ceph data. The CVSS score of 9.1 indicates high severity, while the EPSS score of <1% suggests a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of known exploits in the wild.
OpenCVE Enrichment
Debian DLA