Jannh

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An out-of-bounds access exists in the `ceph handle auth reply()` function within libceph, triggered by a message of type 'CEPH MSG AUTH REPLY'. The issue occurs because the `payload len` field is stored as an integer; a value exceeding `INT MAX` causes an integer overflow, resulting in a negative value. This leads to the pointer address being decremented and subsequently accessed, as the `ceph decode need()` function only verifies that memory access does not exceed the allocation end address. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.