CVE-2025-21737: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21737 affects the Linux kernel's Ceph filesystem implementation, specifically in the cephmdsauth_match() function. The vulnerability was discovered in February 2025 and involves a memory leak that occurs when the temporary target path substring allocation is not properly freed on all execution branches (NVD, MITRE).

The vulnerability stems from a failure to free memory in the cephmdsauth_match() function where the temporary target path substring allocation is not freed on the default branch. This occurs during path-based authorization checks when accessing files on a CephFS filesystem. The issue can be triggered by mounting a subdirectory of a CephFS filesystem and attempting to access files using an auth token with path-scoped capability (Kernel Commit).

The memory leak can cause continuous memory growth in the system, which can rapidly lead to system instability. In production environments, this has resulted in triggering the kernel's Out-Of-Memory (OOM) killer and completely hard-locking the kernel. The impact is particularly severe when there are frequent file access attempts (Kernel Commit).

The issue has been fixed in the Linux kernel through a patch that ensures proper memory cleanup in all execution paths. The fix involves combining if statements, renaming variables for clarity, and ensuring the temporary path allocation is freed appropriately (Kernel Commit).