CVE-2026-46066
Awaiting Analysis Awaiting Analysis - Queue
Buffer Overflow Fix in Linux Kernel CephFS

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ceph: fix num_ops off-by-one when crypto allocation fails move_dirty_folio_in_page_array() may fail if the file is encrypted, the dirty folio is not the first in the batch, and it fails to allocate a bounce buffer to hold the ciphertext. When that happens, ceph_process_folio_batch() simply redirties the folio and flushes the current batch -- it can retry that folio in a future batch. However, if this failed folio is not contiguous with the last folio that did make it into the batch, then ceph_process_folio_batch() has already incremented `ceph_wbc->num_ops`; because it doesn't follow through and add the discontiguous folio to the array, ceph_submit_write() -- which expects that `ceph_wbc->num_ops` accurately reflects the number of contiguous ranges (and therefore the required number of "write extent" ops) in the writeback -- will panic the kernel: BUG_ON(ceph_wbc->op_idx + 1 != req->r_num_ops); This issue can be reproduced on affected kernels by writing to fscrypt-enabled CephFS file(s) with a 4KiB-written/4KiB-skipped/repeat pattern (total filesize should not matter) and gradually increasing the system's memory pressure until a bounce buffer allocation fails. Fix this crash by decrementing `ceph_wbc->num_ops` back to the correct value when move_dirty_folio_in_page_array() fails, but the folio already started counting a new (i.e. still-empty) extent. The defect corrected by this patch has existed since 2022 (see first `Fixes:`), but another bug blocked multi-folio encrypted writeback until recently (see second `Fixes:`). The second commit made it into 6.18.16, 6.19.6, and 7.0-rc1, unmasking the panic in those versions. This patch therefore fixes a regression (panic) introduced by cac190c7674f.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46066
EUVD
EUVD-2026-32448
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ceph ceph From 6.18.16 (inc) to 7.0-rc1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Ceph filesystem encryption handling. Specifically, when writing encrypted files, if the system fails to allocate a bounce buffer for ciphertext due to memory pressure, an off-by-one error occurs in the count of write operations (num_ops). This happens because the function move_dirty_folio_in_page_array() fails but the count of operations is still incremented incorrectly. As a result, the kernel's writeback process expects a different number of write extents than actually present, causing the kernel to panic and crash.

The issue arises when encrypted file writes are done in a pattern that causes bounce buffer allocation failures, leading to a mismatch in the internal tracking of write operations. The fix involves correcting the num_ops count when allocation fails to prevent the kernel panic.

Impact Analysis

This vulnerability can cause the Linux kernel to panic and crash during encrypted file write operations on CephFS under certain memory pressure conditions. This can lead to system instability, data write interruptions, and potential data loss or corruption during the affected write operations.

Systems using encrypted CephFS with fscrypt enabled and experiencing high memory pressure are at risk of encountering this kernel panic, which could disrupt normal operations and require system reboots.

Detection Guidance

This vulnerability manifests as a kernel panic caused by a BUG_ON condition in the Ceph writeback code when writing to fscrypt-enabled CephFS files under certain memory pressure conditions.

Detection can be done by monitoring kernel logs for panic messages related to Ceph writeback operations, specifically looking for the BUG_ON triggered by the condition: ceph_wbc->op_idx + 1 != req->r_num_ops.

Reproducing the issue involves writing to encrypted CephFS files with a 4KiB-written/4KiB-skipped pattern repeatedly while increasing system memory pressure until bounce buffer allocation fails.

  • Check kernel logs for panic messages: `dmesg | grep -i ceph` or `journalctl -k | grep -i ceph`
  • Monitor for kernel panics or crashes related to Ceph writeback.
  • Test with a script or command that writes to fscrypt-enabled CephFS files using the described pattern to see if the system panics under memory pressure.
Mitigation Strategies

Immediate mitigation involves updating the Linux kernel to a version where this vulnerability is fixed, as the issue is resolved by a patch that corrects the off-by-one error in the Ceph writeback code.

Until the kernel is updated, avoid workloads that write to fscrypt-enabled CephFS files with patterns that could trigger bounce buffer allocation failures, especially under high memory pressure.

Monitor system memory usage and avoid conditions that cause bounce buffer allocation failures.

If possible, disable encryption on CephFS files temporarily or avoid using encrypted filesystems until the fix is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46066. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart