Описание
In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped.
Отчет
The Ceph client could perform out-of-bounds reads when decoding a corrupted or maliciously crafted osdmap, because the parser trusted length fields without validating each decoded or skipped element. This allows a remote Ceph peer to crash the kernel and cause a denial of service. Although this issue is triggered over an authenticated Ceph connection, the attack direction is from the server side (OSD/monitor) to the client. Any compromised or malfunctioning Ceph node can provide a malformed osdmap that is parsed in the kernel, breaking Ceph’s security model which assumes that no cluster component should be able to crash or compromise a client, even over an authorized channel.
Меры по смягчению последствий
To mitigate this issue and if Ceph not being used, then prevent module libceph from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Affected | ||
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Fixed | RHSA-2026:21745 | 28.05.2026 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2026:21706 | 28.05.2026 |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | kernel | Fixed | RHSA-2026:26563 | 17.06.2026 |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | kernel | Fixed | RHSA-2026:26563 | 17.06.2026 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2026:19568 | 20.05.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.1 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped.
In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped.
libceph: make decode_pool() more resilient against corrupted osdmaps
In the Linux kernel, the following vulnerability has been resolved: l ...
In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped.
EPSS
7.1 High
CVSS3