Description
In the Linux kernel, the following vulnerability has been resolved:

ceph: supply snapshot context in ceph_zero_partial_object()

The ceph_zero_partial_object function was missing proper snapshot
context for its OSD write operations, which could lead to data
inconsistencies in snapshots.

Reproducer:
../src/vstart.sh --new -x --localhost --bluestore
./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow r fsname=a' osd 'allow rw tag cephfs data=a'
mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf
dd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1
mkdir /mnt/mycephfs/.snap/snap1
md5sum /mnt/mycephfs/.snap/snap1/foo
fallocate -p -o 0 -l 4096 /mnt/mycephfs/foo
echo 3 > /proc/sys/vm/drop/caches
md5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!!
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability was discovered in the Linux kernel’s Ceph integration. The ceph_zero_partial_object() routine failed to supply the proper snapshot context for OSD write operations, causing writes intended for a snapshot to be executed with incorrect metadata. The resulting data inconsistency manifests as differing file checksums between the live filesystem and its snapshots, which undermines data integrity without enabling code execution.

Affected Systems

The flaw is present in any Linux kernel that compiles with Ceph support and has not yet incorporated the patch that adds the snapshot context to ceph_zero_partial_object(). No specific kernel version numbers are listed; the advisory refers only to the Linux kernel. If your system mounts Ceph filesystems via the kernel module, it likely shares this code path.

Risk and Exploitability

The CVSS score is 5.5, and the EPSS score is < 1%, but the publicly available repro demonstrates that an attacker with write access to a mounted Ceph filesystem can trigger the flaw. The likely attack vector is a local attacker who can write to the Ceph filesystem via the kernel module; there is no evidence of remote exploitation from outside the node. Because the flaw only corrupts snapshot data, the overall risk is concentrated on data integrity in environments that rely on Ceph snapshots, and the lack of a KEV listing suggests it has not yet been widely exploited in the wild.

Generated by OpenCVE AI on May 8, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Linux to a kernel version that includes the patch fixing ceph_zero_partial_object().
  • If an upgrade is not immediately possible, cherry‑pick and apply the specific commit that supplies the snapshot context to ceph_zero_partial_object() and rebuild the kernel.
  • Until the kernel is updated, avoid taking or restoring snapshots from this Ceph cluster or enforce checksum verification after snapshot operations to detect inconsistencies.

Generated by OpenCVE AI on May 8, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-372
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ceph: supply snapshot context in ceph_zero_partial_object() The ceph_zero_partial_object function was missing proper snapshot context for its OSD write operations, which could lead to data inconsistencies in snapshots. Reproducer: ../src/vstart.sh --new -x --localhost --bluestore ./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow r fsname=a' osd 'allow rw tag cephfs data=a' mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf dd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1 mkdir /mnt/mycephfs/.snap/snap1 md5sum /mnt/mycephfs/.snap/snap1/foo fallocate -p -o 0 -l 4096 /mnt/mycephfs/foo echo 3 > /proc/sys/vm/drop/caches md5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!!
Title ceph: supply snapshot context in ceph_zero_partial_object()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:21:22.184Z

Reserved: 2026-05-01T14:12:55.998Z

Link: CVE-2026-43273

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:48.543

Modified: 2026-05-08T20:01:19.023

Link: CVE-2026-43273

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43273 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:45:18Z

Weaknesses