CVE-2025-21737: Vulnerability in Linux Linux

Severity: highType: vulnerabilityCVE-2025-21737

In the Linux kernel, the following vulnerability has been resolved: ceph: fix memory leak in ceph_mds_auth_match() We now free the temporary target path substring allocation on every possible branch, instead of omitting the default branch. In some cases, a memory leak occured, which could rapidly crash the system (depending on how many file accesses were attempted). This was detected in production because it caused a continuous memory growth, eventually triggering kernel OOM and completely hard-locking the kernel. Relevant kmemleak stacktrace: unreferenced object 0xffff888131e69900 (size 128): comm "git", pid 66104, jiffies 4295435999 hex dump (first 32 bytes): 76 6f 6c 75 6d 65 73 2f 63 6f 6e 74 61 69 6e 65 volumes/containe 72 73 2f 67 69 74 65 61 2f 67 69 74 65 61 2f 67 rs/gitea/gitea/g backtrace (crc 2f3bb450): [<ffffffffaa68fb49>] __kmalloc_noprof+0x359/0x510 [<ffffffffc32bf1df>] ceph_mds_check_access+0x5bf/0x14e0 [ceph] [<ffffffffc3235722>] ceph_open+0x312/0xd80 [ceph] [<ffffffffaa7dd786>] do_dentry_open+0x456/0x1120 [<ffffffffaa7e3729>] vfs_open+0x79/0x360 [<ffffffffaa832875>] path_openat+0x1de5/0x4390 [<ffffffffaa834fcc>] do_filp_open+0x19c/0x3c0 [<ffffffffaa7e44a1>] do_sys_openat2+0x141/0x180 [<ffffffffaa7e4945>] __x64_sys_open+0xe5/0x1a0 [<ffffffffac2cc2f7>] do_syscall_64+0xb7/0x210 [<ffffffffac400130>] entry_SYSCALL_64_after_hwframe+0x77/0x7f It can be triggered by mouting a subdirectory of a CephFS filesystem, and then trying to access files on this subdirectory with an auth token using a path-scoped capability: $ ceph auth get client.services [client.services] key = REDACTED caps mds = "allow rw fsname=cephfs path=/volumes/" caps mon = "allow r fsname=cephfs" caps osd = "allow rw tag cephfs data=cephfs" $ cat /proc/self/mounts services@[REDACTED].cephfs=/volumes/containers /ceph/containers ceph rw,noatime,name=services,secret=<hidden>,ms_mode=prefer-crc,mount_timeout=300,acl,mon_addr=[REDACTED]:3300,recover_session=clean 0 0 $ seq 1 1000000 | xargs -P32 --replace={} touch /ceph/containers/file-{} && \ seq 1 1000000 | xargs -P32 --replace={} cat /ceph/containers/file-{} [ idryomov: combine if statements, rename rc to path_matched and make it a bool, formatting ]

AI Analysis

Technical Summary

CVE-2025-21737 is a vulnerability identified in the Linux kernel's Ceph filesystem (CephFS) implementation, specifically within the ceph_mds_auth_match() function. The issue arises from a memory leak caused by improper handling of temporary target path substring allocations. The vulnerability occurs because the code failed to free allocated memory in all execution branches, leading to continuous memory growth. This memory leak can be triggered by mounting a subdirectory of a CephFS filesystem and accessing files within this subdirectory using an authentication token with path-scoped capabilities. The leak manifests as unreferenced kernel memory objects that accumulate rapidly, eventually causing the kernel's Out-Of-Memory (OOM) killer to activate and potentially hard-lock the system. The problem was detected in production environments where repeated file access attempts caused the system to consume increasing amounts of memory until a crash occurred. The technical details include a kmemleak stack trace showing the allocation and the call chain through ceph_mds_check_access, ceph_open, and various VFS and syscall layers. Exploitation requires mounting CephFS with specific path-scoped capabilities and performing high-volume file operations on the mounted subdirectory. Although no known exploits are reported in the wild, the vulnerability can lead to denial of service (DoS) by crashing or locking the kernel due to memory exhaustion. The fix involves ensuring that the temporary path substring allocations are freed on every possible code path, preventing the leak.

Potential Impact

For European organizations utilizing CephFS in their Linux environments, especially in data centers, cloud infrastructure, or storage clusters, this vulnerability poses a significant risk of service disruption. The memory leak can cause rapid memory exhaustion leading to kernel OOM conditions and system hard locks, resulting in downtime and potential data unavailability. Organizations relying on CephFS for critical storage or containerized workloads may experience degraded performance or complete outages if exploited. The impact extends to any Linux-based systems running affected kernel versions with CephFS enabled and using path-scoped authentication tokens. Given CephFS's popularity in open-source and enterprise storage solutions, the vulnerability could affect cloud service providers, research institutions, and enterprises with distributed storage needs. While the vulnerability does not directly expose data confidentiality or integrity, the denial of service impact can disrupt business operations and cause cascading failures in dependent services.

Mitigation Recommendations

1. Apply the official Linux kernel patch that fixes the memory leak in ceph_mds_auth_match() as soon as it becomes available from trusted sources or Linux distribution vendors. 2. Temporarily avoid mounting CephFS subdirectories with path-scoped capabilities if patching is not immediately possible. 3. Monitor system memory usage closely on CephFS clients and servers to detect abnormal memory growth patterns indicative of exploitation attempts. 4. Limit the use of path-scoped authentication tokens to trusted users and services, reducing the attack surface. 5. Implement resource limits and cgroup controls on processes accessing CephFS to mitigate the impact of potential memory leaks. 6. Regularly audit and update CephFS client and server configurations to ensure they follow security best practices. 7. Engage in proactive kernel and CephFS version management to stay current with security fixes. 8. Consider deploying kernel memory leak detection tools (e.g., kmemleak) in testing environments to identify similar issues early.