Skip to main content

Linux Kernel CVE-2026-43408

| EUVDEUVD-2026-28714 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-97qv-cc94-mr6w
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:34 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:21 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ceph: add a bunch of missing ceph_path_info initializers

ceph_mdsc_build_path() must be called with a zero-initialized ceph_path_info parameter, or else the following ceph_mdsc_free_path_info() may crash.

Example crash (on Linux 6.18.12):

virt_to_cache: Object is not a Slab page! WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6732 kmem_cache_free+0x316/0x400 [...] Call Trace: [...] ceph_open+0x13d/0x3e0 do_dentry_open+0x134/0x480 vfs_open+0x2a/0xe0 path_openat+0x9a3/0x1160 [...] cache_from_obj: Wrong slab cache. names_cache but object is from ceph_inode_info WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6746 kmem_cache_free+0x2dd/0x400 [...] kernel BUG at mm/slub.c:634! Oops: invalid opcode: 0000 [#1] SMP NOPTI RIP: 0010:__slab_free+0x1a4/0x350

Some of the ceph_mdsc_build_path() callers had initializers, but others had not, even though they were all added by commit 15f519e9f883 ("ceph: fix race condition validating r_parent before applying state"). The ones without initializer are suspectible to random crashes. (I can imagine it could even be possible to exploit this bug to elevate privileges.)

Unfortunately, these Ceph functions are undocumented and its semantics can only be derived from the code. I see that ceph_mdsc_build_path() initializes the structure only on success, but not on error.

Calling ceph_mdsc_free_path_info() after a failed ceph_mdsc_build_path() call does not even make sense, but that's what all callers do, and for it to be safe, the structure must be zero-initialized. The least intrusive approach to fix this is therefore to add initializers everywhere.

AnalysisAI

Memory corruption in the Linux kernel's Ceph filesystem client allows local authenticated users to trigger kernel crashes and potentially escalate privileges. The vulnerability stems from missing zero-initialization of ceph_path_info structures before passing them to ceph_mdsc_build_path(), causing subsequent ceph_mdsc_free_path_info() calls to attempt freeing uninitialized or corrupted memory pointers. Multiple code paths in ceph_open() and related functions are affected, introduced by commit 15f519e9f883. Patches are available for kernel versions 6.12.78, 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation, with no public exploit code or CISA KEV listing at time of analysis.

Technical ContextAI

The Ceph distributed filesystem client code in the Linux kernel uses ceph_path_info structures to build and manage filesystem paths during metadata operations. The ceph_mdsc_build_path() function expects this structure to be zero-initialized before invocation because it only initializes fields on success, leaving them undefined on error paths. However, all callers unconditionally invoke ceph_mdsc_free_path_info() afterward, which attempts to free memory pointed to by structure members. When the structure contains uninitialized stack memory, these pointers reference arbitrary memory addresses, causing SLUB allocator violations (freeing objects from wrong caches or non-slab pages). The affected code paths include VFS operations like ceph_open() invoked through do_dentry_open() and path_openat(). The CPE data identifies this as affecting the Linux kernel's Ceph client implementation broadly. While no CWE is specified, this represents a classic uninitialized memory use bug (similar to CWE-457) combined with improper resource management (CWE-404), leading to memory corruption.

RemediationAI

Apply vendor-released kernel patches immediately: upgrade to Linux kernel 6.12.78, 6.18.19, 6.19.9, or 7.0 depending on your current stable branch. Patch commits add zero-initialization to ceph_path_info structures across multiple code paths (commits 644b47f0574f, 8be8911f5908, 453df1f45358, 43323a5934b6). If immediate patching is not feasible, implement compensating controls with these trade-offs: (1) Restrict Ceph filesystem mounts to privileged administrative users only via mount permissions and SELinux/AppArmor policies-this reduces attack surface but impairs multi-tenant workflows and container storage functionality; (2) Disable Ceph kernel client module (rmmod ceph) and migrate to FUSE-based ceph-fuse client-this eliminates kernel exploitation risk but incurs 15-30% performance penalty and requires application compatibility testing; (3) Deploy kernel live-patching solutions (kpatch/kGraft) with the initialization fixes if your distribution provides them-this avoids reboot but requires enterprise support subscriptions. Note that workarounds (2) and (3) may break existing Kubernetes CSI drivers and container orchestration integrations. For production Ceph storage clusters, coordinate patching with maintenance windows as kernel upgrades require node reboots and may trigger Ceph rebalancing operations. Verify patch application with 'uname -r' and test Ceph mount operations post-upgrade.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy