{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-16T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: libceph: fix potential use-after-free in have_mon_and_osd_map()",
    "id" : "2422801",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2422801"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nlibceph: fix potential use-after-free in have_mon_and_osd_map()\nThe wait loop in __ceph_open_session() can race with the client\nreceiving a new monmap or osdmap shortly after the initial map is\nreceived.  Both ceph_monc_handle_map() and handle_one_map() install\na new map immediately after freeing the old one\nkfree(monc->monmap);\nmonc->monmap = monmap;\nceph_osdmap_destroy(osdc->osdmap);\nosdc->osdmap = newmap;\nunder client->monc.mutex and client->osdc.lock respectively, but\nbecause neither is taken in have_mon_and_osd_map() it's possible for\nclient->monc.monmap->epoch and client->osdc.osdmap->epoch arms in\nclient->monc.monmap && client->monc.monmap->epoch &&\nclient->osdc.osdmap && client->osdc.osdmap->epoch;\ncondition to dereference an already freed map.  This happens to be\nreproducible with generic/395 and generic/397 with KASAN enabled:\nBUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70\nRead of size 4 at addr ffff88811012d810 by task mount.ceph/13305\nCPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266\n...\nCall Trace:\n<TASK>\nhave_mon_and_osd_map+0x56/0x70\nceph_open_session+0x182/0x290\nceph_get_tree+0x333/0x680\nvfs_get_tree+0x49/0x180\ndo_new_mount+0x1a3/0x2d0\npath_mount+0x6dd/0x730\ndo_mount+0x99/0xe0\n__do_sys_mount+0x141/0x180\ndo_syscall_64+0x9f/0x100\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n</TASK>\nAllocated by task 13305:\nceph_osdmap_alloc+0x16/0x130\nceph_osdc_init+0x27a/0x4c0\nceph_create_client+0x153/0x190\ncreate_fs_client+0x50/0x2a0\nceph_get_tree+0xff/0x680\nvfs_get_tree+0x49/0x180\ndo_new_mount+0x1a3/0x2d0\npath_mount+0x6dd/0x730\ndo_mount+0x99/0xe0\n__do_sys_mount+0x141/0x180\ndo_syscall_64+0x9f/0x100\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nFreed by task 9475:\nkfree+0x212/0x290\nhandle_one_map+0x23c/0x3b0\nceph_osdc_handle_map+0x3c9/0x590\nmon_dispatch+0x655/0x6f0\nceph_con_process_message+0xc3/0xe0\nceph_con_v1_try_read+0x614/0x760\nceph_con_workfn+0x2de/0x650\nprocess_one_work+0x486/0x7c0\nprocess_scheduled_works+0x73/0x90\nworker_thread+0x1c8/0x2a0\nkthread+0x2ec/0x300\nret_from_fork+0x24/0x40\nret_from_fork_asm+0x1a/0x30\nRewrite the wait loop to check the above condition directly with\nclient->monc.mutex and client->osdc.lock taken as appropriate.  While\nat it, improve the timeout handling (previously mount_timeout could be\nexceeded in case wait_event_interruptible_timeout() slept more than\nonce) and access client->auth_err under client->monc.mutex to match\nhow it's set in finish_auth().\nmonmap_show() and osdmap_show() now take the respective lock before\naccessing the map as well.", "A use-after-free vulnerability was found in the Ceph client session initialization in the Linux kernel. The have_mon_and_osd_map() function checks map epochs without holding the appropriate locks, racing with concurrent map updates that free the old map. This can result in dereferencing freed memory during CephFS or RBD mount operations." ],
  "statement" : "This race condition occurs during Ceph client session establishment. Exploitation is timing-dependent and requires concurrent map updates during mount, making practical exploitation difficult but not impossible.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-01-19T00:00:00Z",
    "advisory" : "RHSA-2026:0786",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.28.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-01-19T00:00:00Z",
    "advisory" : "RHSA-2026:0747",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.54.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2026-01-19T00:00:00Z",
    "advisory" : "RHSA-2026:0754",
    "cpe" : "cpe:/a:redhat:rhel_extras_rt_els:7",
    "package" : "kernel-rt-0:3.10.0-1160.145.1.rt56.1297.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2026-01-19T00:00:00Z",
    "advisory" : "RHSA-2026:0755",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "kernel-0:3.10.0-1160.145.1.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-01-12T00:00:00Z",
    "advisory" : "RHSA-2026:0443",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.92.1.rt7.433.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-01-12T00:00:00Z",
    "advisory" : "RHSA-2026:0444",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.92.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-11T00:00:00Z",
    "advisory" : "RHSA-2026:2446",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2026-01-15T00:00:00Z",
    "advisory" : "RHSA-2026:0643",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "kernel-0:4.18.0-193.181.1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0533",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.183.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0533",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.183.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0536",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.175.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0536",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.175.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0536",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.175.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-02-11T00:00:00Z",
    "advisory" : "RHSA-2026:2558",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0532",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.124.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0532",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.124.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-02-11T00:00:00Z",
    "advisory" : "RHSA-2026:2557",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-19T00:00:00Z",
    "advisory" : "RHSA-2026:0793",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.24.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-19T00:00:00Z",
    "advisory" : "RHSA-2026:0793",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.24.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-03T00:00:00Z",
    "advisory" : "RHSA-2026:1820",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0576",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.161.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0537",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.161.1.rt21.233.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-02-05T00:00:00Z",
    "advisory" : "RHSA-2026:2127",
    "cpe" : "cpe:/o:redhat:rhel_e4s:9.0",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0535",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.152.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0534",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.152.1.rt14.437.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-02-05T00:00:00Z",
    "advisory" : "RHSA-2026:2115",
    "cpe" : "cpe:/o:redhat:rhel_e4s:9.2",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-01-13T00:00:00Z",
    "advisory" : "RHSA-2026:0489",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.106.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-02-05T00:00:00Z",
    "advisory" : "RHSA-2026:2109",
    "cpe" : "cpe:/o:redhat:rhel_eus:9.4",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-01-19T00:00:00Z",
    "advisory" : "RHSA-2026:0804",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.79.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-02-05T00:00:00Z",
    "advisory" : "RHSA-2026:2096",
    "cpe" : "cpe:/o:redhat:rhel_eus:9.6",
    "package" : "kpatch-patch"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-68285\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68285\nhttps://lore.kernel.org/linux-cve-announce/2025121638-CVE-2025-68285-8339@gregkh/T" ],
  "name" : "CVE-2025-68285",
  "csaw" : false
}