CVE-2026-43408
Received Received - Intake
Memory Corruption in Ceph Linux Kernel

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ceph: add a bunch of missing ceph_path_info initializers ceph_mdsc_build_path() must be called with a zero-initialized ceph_path_info parameter, or else the following ceph_mdsc_free_path_info() may crash. Example crash (on Linux 6.18.12): virt_to_cache: Object is not a Slab page! WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6732 kmem_cache_free+0x316/0x400 [...] Call Trace: [...] ceph_open+0x13d/0x3e0 do_dentry_open+0x134/0x480 vfs_open+0x2a/0xe0 path_openat+0x9a3/0x1160 [...] cache_from_obj: Wrong slab cache. names_cache but object is from ceph_inode_info WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6746 kmem_cache_free+0x2dd/0x400 [...] kernel BUG at mm/slub.c:634! Oops: invalid opcode: 0000 [#1] SMP NOPTI RIP: 0010:__slab_free+0x1a4/0x350 Some of the ceph_mdsc_build_path() callers had initializers, but others had not, even though they were all added by commit 15f519e9f883 ("ceph: fix race condition validating r_parent before applying state"). The ones without initializer are suspectible to random crashes. (I can imagine it could even be possible to exploit this bug to elevate privileges.) Unfortunately, these Ceph functions are undocumented and its semantics can only be derived from the code. I see that ceph_mdsc_build_path() initializes the structure only on success, but not on error. Calling ceph_mdsc_free_path_info() after a failed ceph_mdsc_build_path() call does not even make sense, but that's what all callers do, and for it to be safe, the structure must be zero-initialized. The least intrusive approach to fix this is therefore to add initializers everywhere.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43408
EUVD
EUVD-2026-28714
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ceph ceph *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's Ceph filesystem code, specifically involving the functions ceph_mdsc_build_path() and ceph_mdsc_free_path_info(). The issue arises because ceph_mdsc_build_path() must be called with a zero-initialized ceph_path_info parameter. If it is not zero-initialized, ceph_mdsc_free_path_info() may crash the system.

Some callers of ceph_mdsc_build_path() did not initialize the ceph_path_info structure properly, leading to random crashes. The problem is that ceph_mdsc_build_path() only initializes the structure on success, but not on error, and all callers call ceph_mdsc_free_path_info() regardless of success or failure. This mismatch can cause kernel crashes and potentially could be exploited to elevate privileges.


How can this vulnerability impact me? :

This vulnerability can cause random crashes in the Linux kernel when using the Ceph filesystem, leading to system instability or denial of service.

Additionally, there is a possibility that this bug could be exploited to elevate privileges, which would allow an attacker to gain higher access rights on the affected system.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability may be detected by observing system crashes or kernel warnings related to Ceph operations, especially messages indicating issues with slab cache or invalid memory operations.

Example kernel log messages to look for include warnings such as "virt_to_cache: Object is not a Slab page!", "cache_from_obj: Wrong slab cache", and kernel BUGs at mm/slub.c.

Since the issue involves ceph_mdsc_build_path() and ceph_mdsc_free_path_info() calls, monitoring kernel logs (e.g., using dmesg or journalctl) for these specific error patterns can help detect the vulnerability.

  • Use the command: dmesg | grep -i 'ceph\|slab\|kmem_cache_free\|kernel BUG'
  • Use journalctl -k | grep -i 'ceph\|slab\|kmem_cache_free\|kernel BUG' to check kernel logs for relevant errors.

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by missing zero-initialization of the ceph_path_info structure before calling ceph_mdsc_build_path(), which can lead to crashes.

Immediate mitigation involves updating the Linux kernel to a version where this issue is fixed, ensuring that all calls to ceph_mdsc_build_path() use zero-initialized ceph_path_info parameters.

If updating the kernel is not immediately possible, monitoring for crash symptoms and avoiding workloads that trigger Ceph path operations may reduce the risk of system instability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart