Description
In the Linux kernel, the following vulnerability has been resolved:

ceph: fix num_ops off-by-one when crypto allocation fails

move_dirty_folio_in_page_array() may fail if the file is encrypted, the
dirty folio is not the first in the batch, and it fails to allocate a
bounce buffer to hold the ciphertext. When that happens,
ceph_process_folio_batch() simply redirties the folio and flushes the
current batch -- it can retry that folio in a future batch.

However, if this failed folio is not contiguous with the last folio that
did make it into the batch, then ceph_process_folio_batch() has already
incremented `ceph_wbc->num_ops`; because it doesn't follow through and
add the discontiguous folio to the array, ceph_submit_write() -- which
expects that `ceph_wbc->num_ops` accurately reflects the number of
contiguous ranges (and therefore the required number of "write extent"
ops) in the writeback -- will panic the kernel:

BUG_ON(ceph_wbc->op_idx + 1 != req->r_num_ops);

This issue can be reproduced on affected kernels by writing to
fscrypt-enabled CephFS file(s) with a 4KiB-written/4KiB-skipped/repeat
pattern (total filesize should not matter) and gradually increasing the
system's memory pressure until a bounce buffer allocation fails.

Fix this crash by decrementing `ceph_wbc->num_ops` back to the correct
value when move_dirty_folio_in_page_array() fails, but the folio already
started counting a new (i.e. still-empty) extent.

The defect corrected by this patch has existed since 2022 (see first
`Fixes:`), but another bug blocked multi-folio encrypted writeback until
recently (see second `Fixes:`). The second commit made it into 6.18.16,
6.19.6, and 7.0-rc1, unmasking the panic in those versions. This patch
therefore fixes a regression (panic) introduced by cac190c7674f.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains an off‑by‑one error in the CephFS writeback path when a crypto bounce buffer allocation fails. If the failed folio is not contiguous with the last successful one, the counter tracking the number of write extents remains incremented, and a kernel assertion later expects the counter to match the number of operations. The mismatch triggers a BUG_ON that crashes the kernel. An attacker can induce this by writing to an fscrypt‑enabled CephFS file with alternating 4 KiB blocks and then applying memory pressure until the allocation fails. The crash results in a denial of service by rendering the node unusable until reboot. This is a pure crash condition and does not provide direct code execution or privilege escalation.

Affected Systems

Affected systems are Linux kernel builds that include the CephFS driver and have not applied the recent patch. The vulnerability was first identified in 2022; the regression was revealed in kernel releases 6.18.16, 6.19.6 and 7.0‑rc1. All subsequent kernel versions incorporate the fix that correctly decrements the operation counter when the bounce buffer allocation fails. Systems running earlier kernel releases without the patch are susceptible.

Risk and Exploitability

Risk assessment shows that the CVSS score of 5.5 indicates moderate severity. The EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog. The attack vector requires privileged or local access to perform the crafted write operations and induce memory pressure, so the exploitation likelihood is moderate for an internal adversary. Nonetheless, any system exposed to CephFS with fscrypt enabled should promptly apply the patched kernel to avoid the crash.

Generated by OpenCVE AI on May 28, 2026 at 03:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the CephFS off‑by‑one patch (e.g., 6.18.16+ or later selections that incorporate the fix), ensuring the system runs a kernel from the series 6.18, 6.19 or 7.0 where the issue is resolved.
  • If an update is not immediately feasible, refrain from performing large encrypted write operations on CephFS and avoid applying significant memory pressure until the patch is available.
  • Consider temporarily disabling fscrypt on CephFS mounts if you must stay on an unpatched kernel, as the vulnerability relies on encrypted data and crypto buffer allocation failure.

Generated by OpenCVE AI on May 28, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ceph: fix num_ops off-by-one when crypto allocation fails move_dirty_folio_in_page_array() may fail if the file is encrypted, the dirty folio is not the first in the batch, and it fails to allocate a bounce buffer to hold the ciphertext. When that happens, ceph_process_folio_batch() simply redirties the folio and flushes the current batch -- it can retry that folio in a future batch. However, if this failed folio is not contiguous with the last folio that did make it into the batch, then ceph_process_folio_batch() has already incremented `ceph_wbc->num_ops`; because it doesn't follow through and add the discontiguous folio to the array, ceph_submit_write() -- which expects that `ceph_wbc->num_ops` accurately reflects the number of contiguous ranges (and therefore the required number of "write extent" ops) in the writeback -- will panic the kernel: BUG_ON(ceph_wbc->op_idx + 1 != req->r_num_ops); This issue can be reproduced on affected kernels by writing to fscrypt-enabled CephFS file(s) with a 4KiB-written/4KiB-skipped/repeat pattern (total filesize should not matter) and gradually increasing the system's memory pressure until a bounce buffer allocation fails. Fix this crash by decrementing `ceph_wbc->num_ops` back to the correct value when move_dirty_folio_in_page_array() fails, but the folio already started counting a new (i.e. still-empty) extent. The defect corrected by this patch has existed since 2022 (see first `Fixes:`), but another bug blocked multi-folio encrypted writeback until recently (see second `Fixes:`). The second commit made it into 6.18.16, 6.19.6, and 7.0-rc1, unmasking the panic in those versions. This patch therefore fixes a regression (panic) introduced by cac190c7674f.
Title ceph: fix num_ops off-by-one when crypto allocation fails
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:51:51.002Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46066

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:27.320

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46066

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46066 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:00:08Z

Weaknesses