CVE-2025-39880

23.09.2025, 06:15

In the Linux kernel, the following vulnerability has been resolved:

libceph: fix invalid accesses to ceph_connection_v1_info

There is a place where generic code in messenger.c is reading and
another place where it is writing to con->v1 union member without
checking that the union member is active (i.e. msgr1 is in use).

On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter,
so such a read is almost guaranteed to return a bogus value instead of
0 when msgr2 is in use. This ends up being fairly benign because the
side effect is just the invalidation of the authorizer and successive
fetching of new tickets.

con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that
it's being written to can cause more serious consequences, but luckily
it's not something that happens often.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.237-1 fixed
bookworm	vulnerable
bookworm (security)	6.1.153-1 fixed
trixie	vulnerable
trixie (security)	6.12.48-1 fixed
forky	vulnerable
sid	6.16.8-1 fixed

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder nicht näher beschriebene Auswirkungen zu erzielen.
Published: 2025-09-22T22:00:00+00:00

References

https://git.kernel.org/stable/c/23538cfbeed87159a5ac6c61e7a6de3d8d4486a8

https://git.kernel.org/stable/c/35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983

https://git.kernel.org/stable/c/591ea9c30737663a471b2bb07b27ddde86b020d5

https://git.kernel.org/stable/c/6bd8b56899be0b514945f639a89ccafb8f8dfaef

https://git.kernel.org/stable/c/cdbc9836c7afadad68f374791738f118263c5371