CVE-2025-68284

Vulnerability

Summary

The vulnerability resides in the handle_auth_session_key() function within the Linux kernel's Ceph (libceph) module. The function extracts a len field directly from untrusted network packets without first verifying that the value falls within expected bounds. This oversight can lead to out-of-bounds writes when the kernel subsequently uses this length value during decryption operations — specifically when decrypting the connection secret or processing service tickets [1][2].

Attack

Mechanism

An attacker on the network can craft a malicious Ceph authentication reply that contains a manipulated len field. If the target system's Ceph client processes such a packet, the unchecked length can cause memory writes beyond allocated buffers during the cryptographic operations that follow. No special privileges on the target are required; the attacker only needs the ability to intercept or spoof network traffic to the Ceph client [2].

Impact

A successful out-of-bounds write can corrupt kernel memory, potentially leading to a denial of service (system crash or instability) or, in worse cases, arbitrary code execution at the kernel level. Given the widespread use of Ceph in distributed storage environments, this vulnerability could compromise data integrity and availability across affected deployments [1].

Mitigation

The fix introduces proper boundary checks before using the length value, ensuring that all write operations stay within the allocated buffer limits. The patch has been committed to the stable kernel tree and is available in the referenced commits [1][2]. Administrators should apply the latest stable kernel updates for their distribution.