Impact
When Ceph calls d_add(dentry,NULL) on a negative dentry that is already hashed, the kernel’s __d_rehash() inserts the same node again, corrupting the d_hash list and potentially creating a self‑loop. This corrupted list causes __d_lookup() to spin indefinitely, which in turn triggers an RCU stall and can hang the entire system. The flaw results in a denial of service without requiring elevated privileges. The weakness is a misuse of the kernel hash API, consistent with CWE‑464.
Affected Systems
All Linux kernel builds that ship the buggy fs/ceph/dir.c paths are affected. The CPE string indicates every linux_kernel product, and no version range is listed. Consequently, any distribution using a kernel prior to the upstream patch is potentially impacted. The vulnerability is present in the upstream source, so any distro that has not applied the commit is susceptible.
Risk and Exploitability
The attack requires a Ceph client that can trigger the faulty lookup logic, such as a client repeatedly performing lookups or atomic_open operations that reuse negative dentries. Based on the description, it is inferred that the attacker can induce the failure path by sending crafted Ceph requests over the network. The CVSS score of 7.5 indicates a high severity and the potential for full system halt. The EPSS score of < 1% indicates a very low probability of exploitation at this time. No KEV listing is present, but the ongoing RCU stall log messages provide a clear detection vector for exploitation.
OpenCVE Enrichment
Debian DLA
Ubuntu USN