CVE-2025-21737 is a vulnerability identified in the Linux kernel's Ceph filesystem (CephFS) implementation, specifically within the ceph_mds_auth_match() function. The issue arises from a memory leak caused by improper handling of temporary target path substring allocations. The vulnerability occurs because the code failed to free allocated memory in all execution branches, leading to continuous memory growth. This memory leak can be triggered by mounting a subdirectory of a CephFS filesystem and accessing files within this subdirectory using an authentication token with path-scoped capabilities. The leak manifests as unreferenced kernel memory objects that accumulate rapidly, eventually causing the kernel's Out-Of-Memory (OOM) killer to activate and potentially hard-lock the system. The problem was detected in production environments where repeated file access attempts caused the system to consume increasing amounts of memory until a crash occurred. The technical details include a kmemleak stack trace showing the allocation and the call chain through ceph_mds_check_access, ceph_open, and various VFS and syscall layers. Exploitation requires mounting CephFS with specific path-scoped capabilities and performing high-volume file operations on the mounted subdirectory. Although no known exploits are reported in the wild, the vulnerability can lead to denial of service (DoS) by crashing or locking the kernel due to memory exhaustion. The fix involves ensuring that the temporary path substring allocations are freed on every possible code path, preventing the leak.

For European organizations utilizing CephFS in their Linux environments, especially in data centers, cloud infrastructure, or storage clusters, this vulnerability poses a significant risk of service disruption. The memory leak can cause rapid memory exhaustion leading to kernel OOM conditions and system hard locks, resulting in downtime and potential data unavailability. Organizations relying on CephFS for critical storage or containerized workloads may experience degraded performance or complete outages if exploited. The impact extends to any Linux-based systems running affected kernel versions with CephFS enabled and using path-scoped authentication tokens. Given CephFS's popularity in open-source and enterprise storage solutions, the vulnerability could affect cloud service providers, research institutions, and enterprises with distributed storage needs. While the vulnerability does not directly expose data confidentiality or integrity, the denial of service impact can disrupt business operations and cause cascading failures in dependent services.

1. Apply the official Linux kernel patch that fixes the memory leak in ceph_mds_auth_match() as soon as it becomes available from trusted sources or Linux distribution vendors. 2. Temporarily avoid mounting CephFS subdirectories with path-scoped capabilities if patching is not immediately possible. 3. Monitor system memory usage closely on CephFS clients and servers to detect abnormal memory growth patterns indicative of exploitation attempts. 4. Limit the use of path-scoped authentication tokens to trusted users and services, reducing the attack surface. 5. Implement resource limits and cgroup controls on processes accessing CephFS to mitigate the impact of potential memory leaks. 6. Regularly audit and update CephFS client and server configurations to ensure they follow security best practices. 7. Engage in proactive kernel and CephFS version management to stay current with security fixes. 8. Consider deploying kernel memory leak detection tools (e.g., kmemleak) in testing environments to identify similar issues early.