Vulnerability Lookup

🛡️ CVE-2025-39880

🟠 CVSS 7.8 — High ✅ No Known Exploit CWE-704 NVD

7.8

CVSS Score

0 Low4 Medium7 High9 Critical10

Description

In the Linux kernel, the following vulnerability has been resolved: libceph: fix invalid accesses to ceph_connection_v1_info There is a place where generic code in messenger.c is reading and another place where it is writing to con->v1 union member without checking that the union member is active (i.e. msgr1 is in use). On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter, so such a read is almost guaranteed to return a bogus value instead of 0 when msgr2 is in use. This ends up being fairly benign because the side effect is just the invalidation of the authorizer and successive fetching of new tickets. con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that it's being written to can cause more serious consequences, but luckily it's not something that happens often.

Details

Severity HIGH

CVSS Score 7.8

CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE CWE-704

Public Exploit ✅ No

Source NVD

Published 2025-09-23

Updated 2026-06-02

Modified 2026-01-20

Fix URL https://git.kernel.org/stable/c/23538cfbeed87159a5ac6c61e7a6de3d8d4486a8

Affected Packages

Software	From version	Fixed in
debian-linux	—	—
linux-kernel	—	—

References

Patch https://git.kernel.org/stable/c/23538cfbeed87159a5ac6c61e7a6de3d8d4486a8

Patch https://git.kernel.org/stable/c/35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983

Patch https://git.kernel.org/stable/c/591ea9c30737663a471b2bb07b27ddde86b020d5

Patch https://git.kernel.org/stable/c/6bd8b56899be0b514945f639a89ccafb8f8dfaef

Patch https://git.kernel.org/stable/c/cdbc9836c7afadad68f374791738f118263c5371

Patch https://git.kernel.org/stable/c/ea12ab684f8ae8a6da11a22c78d94a79e2163096

Mailing List, Third Party Advisory https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

🔗 NVD 🔗 Mitre ✅ Fix / Advisory

Similar Threats

Site Security Check

Concerned your site may already be targeted?

BotEraser analyzes incoming traffic patterns and helps identify bot behavior consistent with known exploit attempts.

Check My Site Free →

No credit card required · Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.

Concerned your site may already be targeted?

Company

Resources

Services

Trusted

Subscribe