CVE-2025-40362

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains a flaw in the Ceph implementation related to MultiFS MDS authentication capabilities. Specifically, the check for authentication capabilities does not validate the filesystem name (fsname) alongside the associated capabilities. This allows the application of authentication capabilities from one filesystem to another within a multi-filesystem Ceph cluster. This can lead to unauthorized access, allowing users to perform actions on filesystems where they should not have permissions, such as creating, deleting, or modifying files. The issue occurs when mounting filesystems with specific user permissions, potentially allowing a user with read-only access to one filesystem to gain read-write access to another. The problem is reproducible using the ceph command-line tool and involves authorizing permissions for a user on multiple filesystems and then attempting to perform unauthorized actions. The vulnerability impacts user authentication within a Ceph cluster.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.