CVE-2025-40362
📋 TL;DR
A Linux kernel Ceph filesystem vulnerability allows users to bypass intended access controls in multi-filesystem Ceph clusters. When a user has different permissions on different filesystems, the bug incorrectly applies permissions from one filesystem to another, potentially granting unauthorized read/write access. This affects systems using Ceph multi-filesystem configurations with user-based authentication.
💻 Affected Systems
- Linux kernel Ceph filesystem module
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users gain full read/write access to sensitive filesystems, potentially leading to data theft, data destruction, or privilege escalation in multi-tenant environments.
Likely Case
Users with limited permissions on one filesystem gain unintended write access, potentially modifying or deleting files they shouldn't have access to.
If Mitigated
If proper network segmentation and access controls are in place, the impact is limited to users who already have some level of authenticated access to the Ceph cluster.
🎯 Exploit Status
Exploitation requires existing user credentials and access to mount Ceph filesystems. The bug is demonstrated in the CVE description with specific mount commands.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel branches via the provided git.kernel.org links
Vendor Advisory: https://git.kernel.org/stable/c/07640d34a781bb2e39020a39137073c03c4aa932
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. For Ceph client systems: Update kernel and restart. 3. For Ceph server systems: Update kernel and restart MDS (Metadata Server) services. 4. Verify all Ceph mounts use updated kernel.
🔧 Temporary Workarounds
Use single filesystem configuration
linuxAvoid using multi-filesystem Ceph configurations until patched
Restrict user access
linuxApply uniform permissions across all filesystems for each user to prevent permission mismatch exploitation
ceph fs authorize <fsname> <user> <path> <permissions> # Apply same permissions across all filesystems
🧯 If You Can't Patch
- Implement strict network segmentation to limit Ceph cluster access to only necessary users/systems
- Enable detailed audit logging on Ceph MDS and monitor for unauthorized file operations across filesystem boundaries
🔍 How to Verify
Check if Vulnerable:
Check if system uses Ceph multi-filesystem configuration and test user permissions across different filesystems as described in CVE reproduction stepsCheck Version:
uname -r # Check kernel version, then verify it includes the Ceph patchesVerify Fix Applied:
After patching, repeat the reproduction steps from CVE description to confirm users cannot write to filesystems where they only have read permissions📡 Detection & Monitoring
Log Indicators:
- Ceph MDS logs showing 'fsname mismatch' warnings
- Unexpected file create/delete operations by users on filesystems where they shouldn't have write permissions
Network Indicators:
- Unusual Ceph client mount patterns across multiple filesystems
SIEM Query:
source="ceph-mds.log" AND ("fsname check failed" OR "fsname mismatch") OR source="audit.log" AND process="mount.ceph" AND user_change_between_filesystems