FKIE_CVE-2026-46066
Vulnerability from fkie_nvd - Published: 2026-05-27 14:17 - Updated: 2026-06-24 17:04
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix num_ops off-by-one when crypto allocation fails
move_dirty_folio_in_page_array() may fail if the file is encrypted, the
dirty folio is not the first in the batch, and it fails to allocate a
bounce buffer to hold the ciphertext. When that happens,
ceph_process_folio_batch() simply redirties the folio and flushes the
current batch -- it can retry that folio in a future batch.
However, if this failed folio is not contiguous with the last folio that
did make it into the batch, then ceph_process_folio_batch() has already
incremented `ceph_wbc->num_ops`; because it doesn't follow through and
add the discontiguous folio to the array, ceph_submit_write() -- which
expects that `ceph_wbc->num_ops` accurately reflects the number of
contiguous ranges (and therefore the required number of "write extent"
ops) in the writeback -- will panic the kernel:
BUG_ON(ceph_wbc->op_idx + 1 != req->r_num_ops);
This issue can be reproduced on affected kernels by writing to
fscrypt-enabled CephFS file(s) with a 4KiB-written/4KiB-skipped/repeat
pattern (total filesize should not matter) and gradually increasing the
system's memory pressure until a bounce buffer allocation fails.
Fix this crash by decrementing `ceph_wbc->num_ops` back to the correct
value when move_dirty_folio_in_page_array() fails, but the folio already
started counting a new (i.e. still-empty) extent.
The defect corrected by this patch has existed since 2022 (see first
`Fixes:`), but another bug blocked multi-folio encrypted writeback until
recently (see second `Fixes:`). The second commit made it into 6.18.16,
6.19.6, and 7.0-rc1, unmasking the panic in those versions. This patch
therefore fixes a regression (panic) introduced by cac190c7674f.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linux | linux_kernel | * | |
| linux | linux_kernel | * |
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6200f41d6fcf2ac7e24866431e381cbc914560e4",
"status": "affected",
"version": "d55207717ded95c8f2760a30e93319fa313186e6",
"versionType": "git"
},
{
"lessThan": "ba12c1e578890f6337a415b7dedf476c6d455105",
"status": "affected",
"version": "d55207717ded95c8f2760a30e93319fa313186e6",
"versionType": "git"
},
{
"lessThan": "a0d9555bf9eaeba34fe6b6bb86f442fe08ba3842",
"status": "affected",
"version": "d55207717ded95c8f2760a30e93319fa313186e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "664D2AF8-363B-4789-A43E-2EDBF84B4C13",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix num_ops off-by-one when crypto allocation fails\n\nmove_dirty_folio_in_page_array() may fail if the file is encrypted, the\ndirty folio is not the first in the batch, and it fails to allocate a\nbounce buffer to hold the ciphertext. When that happens,\nceph_process_folio_batch() simply redirties the folio and flushes the\ncurrent batch -- it can retry that folio in a future batch.\n\nHowever, if this failed folio is not contiguous with the last folio that\ndid make it into the batch, then ceph_process_folio_batch() has already\nincremented `ceph_wbc-\u003enum_ops`; because it doesn\u0027t follow through and\nadd the discontiguous folio to the array, ceph_submit_write() -- which\nexpects that `ceph_wbc-\u003enum_ops` accurately reflects the number of\ncontiguous ranges (and therefore the required number of \"write extent\"\nops) in the writeback -- will panic the kernel:\n\n BUG_ON(ceph_wbc-\u003eop_idx + 1 != req-\u003er_num_ops);\n\nThis issue can be reproduced on affected kernels by writing to\nfscrypt-enabled CephFS file(s) with a 4KiB-written/4KiB-skipped/repeat\npattern (total filesize should not matter) and gradually increasing the\nsystem\u0027s memory pressure until a bounce buffer allocation fails.\n\nFix this crash by decrementing `ceph_wbc-\u003enum_ops` back to the correct\nvalue when move_dirty_folio_in_page_array() fails, but the folio already\nstarted counting a new (i.e. still-empty) extent.\n\nThe defect corrected by this patch has existed since 2022 (see first\n`Fixes:`), but another bug blocked multi-folio encrypted writeback until\nrecently (see second `Fixes:`). The second commit made it into 6.18.16,\n6.19.6, and 7.0-rc1, unmasking the panic in those versions. This patch\ntherefore fixes a regression (panic) introduced by cac190c7674f."
}
],
"id": "CVE-2026-46066",
"lastModified": "2026-06-24T17:04:07.387",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-05-27T14:17:27.320",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/6200f41d6fcf2ac7e24866431e381cbc914560e4"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/a0d9555bf9eaeba34fe6b6bb86f442fe08ba3842"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/ba12c1e578890f6337a415b7dedf476c6d455105"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Undergoing Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-193"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…