CVE-2026-43188
Awaiting Analysis Awaiting Analysis - Queue
Page Array Error Propagation in Linux Kernel CephFS

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ceph: do not propagate page array emplacement errors as batch errors When fscrypt is enabled, move_dirty_folio_in_page_array() may fail because it needs to allocate bounce buffers to store the encrypted versions of each folio. Each folio beyond the first allocates its bounce buffer with GFP_NOWAIT. Failures are common (and expected) under this allocation mode; they should flush (not abort) the batch. However, ceph_process_folio_batch() uses the same `rc` variable for its own return code and for capturing the return codes of its routine calls; failing to reset `rc` back to 0 results in the error being propagated out to the main writeback loop, which cannot actually tolerate any errors here: once `ceph_wbc.pages` is allocated, it must be passed to ceph_submit_write() to be freed. If it survives until the next iteration (e.g. due to the goto being followed), ceph_allocate_page_array()'s BUG_ON() will oops the worker. Note that this failure mode is currently masked due to another bug (addressed next in this series) that prevents multiple encrypted folios from being selected for the same write. For now, just reset `rc` when redirtying the folio to prevent errors in move_dirty_folio_in_page_array() from propagating. Note that move_dirty_folio_in_page_array() is careful never to return errors on the first folio, so there is no need to check for that. After this change, ceph_process_folio_batch() no longer returns errors; its only remaining failure indicator is `locked_pages == 0`, which the caller already handles correctly.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43188
EUVD
EUVD-2026-27749
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ceph linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's Ceph filesystem when fscrypt is enabled. The function move_dirty_folio_in_page_array() may fail because it tries to allocate bounce buffers for encrypted folios using a non-blocking allocation mode (GFP_NOWAIT), which can commonly fail. However, the error handling in ceph_process_folio_batch() incorrectly propagates these allocation errors as batch errors due to improper resetting of the return code variable. This causes the main writeback loop to receive errors it cannot handle, potentially leading to a kernel oops (crash) when ceph_allocate_page_array() encounters an unexpected state.

The fix involves resetting the error code when redirtying the folio so that errors from move_dirty_folio_in_page_array() do not propagate and cause failures. This prevents the kernel from crashing due to these allocation errors during encrypted write operations in Ceph.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash (kernel oops) during write operations on Ceph filesystems with encryption enabled. Such crashes can lead to system instability, data loss, or service interruptions, especially in environments relying on Ceph for storage.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by resetting the error code (rc) when redirtying the folio to prevent errors in move_dirty_folio_in_page_array() from propagating. This prevents the error from causing a kernel oops in ceph_allocate_page_array().

To mitigate this vulnerability, ensure your Linux kernel is updated to a version that includes this fix for the Ceph subsystem.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart