CVE-2025-38223
📋 TL;DR
A kernel bug in the Linux Ceph filesystem driver triggers a BUG_ON assertion failure when handling encrypted inodes with unaligned file sizes (e.g., 33KB or 1KB). This causes a kernel panic and system crash, affecting systems using Ceph with filesystem encryption.
💻 Affected Systems
- Linux kernel Ceph filesystem driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data corruption or loss in active filesystem operations.
Likely Case
System crash when accessing encrypted files with unaligned sizes on Ceph filesystems, resulting in downtime.
If Mitigated
No impact if Ceph is not used or encryption is disabled on affected filesystems.
🎯 Exploit Status
Triggered by normal filesystem operations; not a remote exploit. The generic/397 test case demonstrates the issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with fixes from the referenced stable commits
Vendor Advisory: https://git.kernel.org/stable/c/060909278cc0a91373a20726bd3d8ce085f480a9
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fixes. 2. For distributions: Use package manager (apt/yum/dnf) to install latest kernel. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable filesystem encryption on Ceph
linuxAvoid using fscrypt encryption on Ceph filesystems to prevent trigger conditions.
Do not set encryption policies on Ceph filesystems: 'sudo fscrypt status' to check, avoid 'fscrypt encrypt' commands.
Avoid unaligned file sizes
linuxEnsure encrypted files on Ceph are aligned to filesystem block sizes.
Use tools that create aligned files or manually check sizes.
🧯 If You Can't Patch
- Monitor for kernel panic logs related to Ceph and encrypted inodes.
- Restrict user access to Ceph filesystems or implement strict file size policies.
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if Ceph is used with encryption: 'uname -r' and 'mount | grep ceph', then test with generic/397 fstest if available.Check Version:
uname -rVerify Fix Applied:
After update, verify kernel version includes fixes and test encrypted file operations on Ceph.📡 Detection & Monitoring
Log Indicators:
- Kernel logs with 'kernel BUG at net/ceph/messenger.c:1070' or similar BUG_ON messages related to Ceph and encryption.
Network Indicators:
- None - local filesystem issue.
SIEM Query:
source="kernel" AND "BUG" AND "ceph" AND "encrypt"