CVE-2026-43188 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

ceph: do not propagate page array emplacement errors as batch errors

When fscrypt is enabled, move_dirty_folio_in_page_array() may fail
because it needs to allocate bounce buffers to store the encrypted
versions of each folio. Each folio beyond the first allocates its bounce
buffer with GFP_NOWAIT. Failures are common (and expected) under this
allocation mode; they should flush (not abort) the batch.

However, ceph_process_folio_batch() uses the same `rc` variable for its
own return code and for capturing the return codes of its routine calls;
failing to reset `rc` back to 0 results in the error being propagated
out to the main writeback loop, which cannot actually tolerate any
errors here: once `ceph_wbc.pages` is allocated, it must be passed to
ceph_submit_write() to be freed. If it survives until the next iteration
(e.g. due to the goto being followed), ceph_allocate_page_array()'s
BUG_ON() will oops the worker.

Note that this failure mode is currently masked due to another bug
(addressed next in this series) that prevents multiple encrypted folios
from being selected for the same write.

For now, just reset `rc` when redirtying the folio to prevent errors in
move_dirty_folio_in_page_array() from propagating. Note that
move_dirty_folio_in_page_array() is careful never to return errors on
the first folio, so there is no need to check for that. After this
change, ceph_process_folio_batch() no longer returns errors; its only
remaining failure indicator is `locked_pages == 0`, which the caller
already handles correctly.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

During normal writeback, Ceph’s move_dirty_folio_in_page_array() may fail to allocate bounce buffers for encrypted folios. The function ceph_process_folio_batch() reuses its return code variable without resetting it, so a failure propagates to the main kernel writeback loop. The loop cannot tolerate such errors, and the unhandled failure eventually triggers an unexpected kernel panic, terminating the system. While the kernel crash is not the only effect, this results in a denial of service by rendering the affected node inoperable. The description confirms that the error propagates into ceph_wbc.pages handling and can lead to an oops when ceph_allocate_page_array() encounters a bug.

Affected Systems

All Linux kernel builds that include the Ceph writeback code with fscrypt support are potentially vulnerable. The advisory does not list specific version ranges, so any distribution that ships a Ceph module with file‑system encryption enabled should be considered at risk until the patch is applied. The precise affected releases are not specified in the provided data, therefore administrators should review the kernel version they are running against upstream commit c0d84c7 (or the Git reference in the advisory) to determine if the fix is present.

Risk and Exploitability

No CVSS, EPSS, or KEV data is available for this issue. The lack of an EPSS score and the absence from the CISA KEV catalog suggest that, so far, exploitation has not been observed or documented. However, the documented crash during normal write operations indicates a high impact. The likely attack vector involves triggering Ceph writes that use encryption; an attacker could achieve this remotely if a Ceph client is compromised, or locally if a user has write access to the mounted filesystem. This inference is based on the context that the problem arises in Ceph write operations with fscrypt, so any entity able to effect a write could potentially trigger the failure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ce80b76dd32764cc914975777e058d4fae4f0ea0`	affected	< 746840c87d76b614b14d9337c466ff022fc49823
`ce80b76dd32764cc914975777e058d4fae4f0ea0`	affected	< 4c0d84c788d89c167abf0bf84fd37890c4c84f08
`ce80b76dd32764cc914975777e058d4fae4f0ea0`	affected	< 707104682e3c163f7c14cdd6b07a3e95fb374759

Linux

affected

Version	Status	Constraints
`6.15`	affected	—
`0`	unaffected	< 6.15
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[ce80b76dd32764cc914975777e058d4fae4f0ea0,746840c87d76b614b14d9337c466ff022fc49823)`	affected	code_commit	—
`[ce80b76dd32764cc914975777e058d4fae4f0ea0,4c0d84c788d89c167abf0bf84fd37890c4c84f08)`	affected	code_commit	—
`[ce80b76dd32764cc914975777e058d4fae4f0ea0,707104682e3c163f7c14cdd6b07a3e95fb374759)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.15`	affected	generic	—
`[0,6.15)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a Linux kernel update that contains the fix for this command; check the release notes for the Ceph module patch or the upstream commit that resets the rc variable.
If no update is available, manually apply the upstream patch that resets the rc variable in ceph_process_folio_batch() to prevent error propagation.
As a temporary workaround, disable Ceph writes that use fscrypt encryption or disable fscrypt on the affected volumes until the fix is applied.
Monitor /var/log/kern.log or dmesg for kernel oops messages related to Ceph and isolate processes that generate frequent writes to mitigate intermittent crashes.

Generated by OpenCVE AI on May 6, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4c0d84c788d89c167abf0bf84fd37890c4c84f08
https://git.kernel.org/stable/c/707104682e3c163f7c14cdd6b07a3e95fb374759
https://git.kernel.org/stable/c/746840c87d76b614b14d9337c466ff022fc49823

History

Wed, 06 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-703 CWE-754

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ceph: do not propagate page array emplacement errors as batch errors When fscrypt is enabled, move_dirty_folio_in_page_array() may fail because it needs to allocate bounce buffers to store the encrypted versions of each folio. Each folio beyond the first allocates its bounce buffer with GFP_NOWAIT. Failures are common (and expected) under this allocation mode; they should flush (not abort) the batch. However, ceph_process_folio_batch() uses the same `rc` variable for its own return code and for capturing the return codes of its routine calls; failing to reset `rc` back to 0 results in the error being propagated out to the main writeback loop, which cannot actually tolerate any errors here: once `ceph_wbc.pages` is allocated, it must be passed to ceph_submit_write() to be freed. If it survives until the next iteration (e.g. due to the goto being followed), ceph_allocate_page_array()'s BUG_ON() will oops the worker. Note that this failure mode is currently masked due to another bug (addressed next in this series) that prevents multiple encrypted folios from being selected for the same write. For now, just reset `rc` when redirtying the folio to prevent errors in move_dirty_folio_in_page_array() from propagating. Note that move_dirty_folio_in_page_array() is careful never to return errors on the first folio, so there is no need to check for that. After this change, ceph_process_folio_batch() no longer returns errors; its only remaining failure indicator is `locked_pages == 0`, which the caller already handles correctly.
Title		ceph: do not propagate page array emplacement errors as batch errors
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4c0d84c788d89c167abf0bf84fd37890c4c84f08 https://git.kernel.org/stable/c/707104682e3c163f7c14cdd6b07a3e95fb374759 https://git.kernel.org/stable/c/746840c87d76b614b14d9337c466ff022fc49823

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:58.402Z

Updated: 2026-05-06T11:27:58.402Z

Reserved: 2026-05-01T14:12:55.991Z

Link: CVE-2026-43188

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:37.600

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43188

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T18:15:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object