Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local low-priv access to a CephFS mount (AV:L/PR:L); a buffer leak causes only memory-exhaustion DoS (A:H) with no confidentiality or integrity impact (C:N/I:N).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix a buffer leak in __ceph_setxattr()
The old_blob in __ceph_setxattr() can store ci->i_xattrs.prealloc_blob value during the retry. However, it is never called the ceph_buffer_put() for the old_blob object. This patch fixes the issue of the buffer leak.
AnalysisAI
Memory leak in the Linux kernel's Ceph client (CephFS) allows a local, low-privileged user to exhaust kernel buffer memory by repeatedly triggering the retry path in __ceph_setxattr(), where the old_blob holding ci->i_xattrs.prealloc_blob is never released via ceph_buffer_put(). The flaw affects systems mounting CephFS and is addressed by an upstream stable fix; there is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.18%). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local authenticated access (CVSS PR:L) to a host with the CephFS kernel client and a mounted Ceph filesystem the attacker can issue setxattr operations against; the attacker must repeatedly drive the __ceph_setxattr() retry path so old_blob leaks. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8) rates high impact, but that C:H/I:H/A:H profile is questionable for what the description characterizes as a memory leak - a leak realistically produces availability degradation (memory exhaustion/DoS) rather than confidentiality or integrity loss, so the 7.8 likely overstates real impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with access to a mounted CephFS repeatedly invokes setxattr in a way that forces the __ceph_setxattr() retry path, leaking a preallocated ceph_buffer on each iteration. Over time this exhausts kernel memory, degrading or crashing the host (denial of service). … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, or 7.0.10 or later on the corresponding branch (apply your distribution's backported kernel update). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify and inventory all systems running CephFS and document their current kernel and Ceph versions to determine exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38830
GHSA-2p2x-px9w-6j23