Skip to main content

Linux Kernel EUVDEUVD-2026-32448

| CVE-2026-46066 MEDIUM
Off-by-one Error (CWE-193)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-2hfr-22wv-h4vj
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local write access to an fscrypt CephFS mount required (AV:L, PR:L); sole impact is kernel panic with no confidentiality or integrity exposure (C:N/I:N/A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 19:16 vuln.today
CVSS changed
Jun 24, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ceph: fix num_ops off-by-one when crypto allocation fails

move_dirty_folio_in_page_array() may fail if the file is encrypted, the dirty folio is not the first in the batch, and it fails to allocate a bounce buffer to hold the ciphertext. When that happens, ceph_process_folio_batch() simply redirties the folio and flushes the current batch -- it can retry that folio in a future batch.

However, if this failed folio is not contiguous with the last folio that did make it into the batch, then ceph_process_folio_batch() has already incremented ceph_wbc->num_ops; because it doesn't follow through and add the discontiguous folio to the array, ceph_submit_write() -- which expects that ceph_wbc->num_ops accurately reflects the number of contiguous ranges (and therefore the required number of "write extent" ops) in the writeback -- will panic the kernel:

BUG_ON(ceph_wbc->op_idx + 1 != req->r_num_ops);

This issue can be reproduced on affected kernels by writing to fscrypt-enabled CephFS file(s) with a 4KiB-written/4KiB-skipped/repeat pattern (total filesize should not matter) and gradually increasing the system's memory pressure until a bounce buffer allocation fails.

Fix this crash by decrementing ceph_wbc->num_ops back to the correct value when move_dirty_folio_in_page_array() fails, but the folio already started counting a new (i.e. still-empty) extent.

The defect corrected by this patch has existed since 2022 (see first Fixes:), but another bug blocked multi-folio encrypted writeback until recently (see second Fixes:). The second commit made it into 6.18.16, 6.19.6, and 7.0-rc1, unmasking the panic in those versions. This patch therefore fixes a regression (panic) introduced by cac190c7674f.

AnalysisAI

Kernel panic in the Linux Ceph filesystem client affects systems running fscrypt-encrypted CephFS on kernel versions 6.18.16-6.18.29, 6.19.6, and 7.0.x prior to 7.0.4. An off-by-one error (CWE-193) in ceph_wbc->num_ops during encrypted writeback causes a hard BUG_ON assertion in ceph_submit_write(), crashing the kernel when a bounce buffer allocation fails under memory pressure. No public exploit exists and EPSS is 0.02% (4th percentile), but the CVE description contains a precise reproduction recipe, making reliable local triggering straightforward for anyone with write access to an affected encrypted mount.

Technical ContextAI

The defect resides in the Linux kernel Ceph filesystem client's writeback path for fscrypt-encrypted files (CPE: cpe:2.3:o:linux:linux_kernel). CWE-193 (Off-by-One Error): ceph_process_folio_batch() increments ceph_wbc->num_ops when it begins accounting for a discontiguous dirty folio, but when move_dirty_folio_in_page_array() subsequently fails to allocate a bounce buffer for ciphertext, the folio is abandoned without decrementing the counter. The downstream ceph_submit_write() enforces the invariant that num_ops equals the number of contiguous write-extent operations via a hard BUG_ON assertion; the mismatch panics the kernel. The underlying defect has existed since 2022, but was masked until commit cac190c7674f enabled multi-folio encrypted writeback - that commit landed in 6.18.16, 6.19.6, and 7.0-rc1, unmasking the panic exclusively on those versions. The vulnerability is strictly confined to fscrypt-enabled CephFS mounts; unencrypted CephFS and all other filesystems are unaffected.

RemediationAI

Upgrade to Linux kernel 6.18.30, 7.0.4, or 7.1-rc1 or later, which include the fix that decrements ceph_wbc->num_ops when move_dirty_folio_in_page_array() fails on a not-yet-counted extent. Fix commits are available at https://git.kernel.org/stable/c/6200f41d6fcf2ac7e24866431e381cbc914560e4, https://git.kernel.org/stable/c/a0d9555bf9eaeba34fe6b6bb86f442fe08ba3842, and https://git.kernel.org/stable/c/ba12c1e578890f6337a415b7dedf476c6d455105. For systems where an immediate kernel upgrade is not feasible, the most effective compensating control is to disable fscrypt encryption on CephFS mounts; note this removes at-rest encryption protection and requires data migration. A secondary mitigation is to ensure generous memory headroom on hosts serving encrypted CephFS workloads, reducing the probability of bounce buffer allocation failures - but this cannot be guaranteed and is not a reliable control. Monitoring kernel live-patching channels (e.g., SUSE KLPD, Ubuntu Livepatch, Oracle Ksplice) for backported fixes is advisable where reboots are costly.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32448 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy