PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43408 Linux CVE debrief

CVE-2026-43408 is a Linux kernel Ceph client issue where ceph_mdsc_build_path() expects a zero-initialized ceph_path_info structure. Some callers were missing initializers, so later cleanup via ceph_mdsc_free_path_info() could operate on uninitialized state and trigger kernel crashes. The supplied record includes SLUB warnings and an oops on affected kernels, and NVD rates the issue HIGH with local, low-privilege attack requirements. The advisory text also notes that privilege escalation was considered possible, but that is not confirmed in the corpus.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that use the Ceph client on affected kernel builds should treat this as a priority patch item, especially in environments where local users can interact with Ceph-backed paths.

Technical summary

The bug is described as a missing zero-initialization requirement for ceph_path_info passed to ceph_mdsc_build_path(). If callers do not initialize the structure and the build path later fails, ceph_mdsc_free_path_info() may free or interpret stale fields, producing SLUB warnings, invalid frees, and kernel oopses. NVD classifies the issue as CWE-476 and assigns CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8).

Defensive priority

High. Patch affected kernels promptly, because the issue is reachable with local privileges and can cause reliable kernel instability; the reporter also flags possible broader impact if the bug is abused.

Recommended defensive actions

  • Upgrade to a kernel build that includes the Ceph path-info initialization fix referenced by the official kernel patches.
  • Inventory hosts running Linux kernel versions in the affected NVD ranges and prioritize systems with Ceph client usage.
  • Backport or verify vendor patches on distribution kernels; confirm all ceph_mdsc_build_path() callers use zero-initialized ceph_path_info structures.
  • Treat repeated SLUB warnings, ceph_open() crashes, or oopses involving ceph_mdsc_free_path_info() as indicators to patch immediately.
  • Coordinate reboot windows after remediation so the fixed kernel is actually loaded on affected hosts.

Evidence notes

The source corpus shows the CVE record was published on 2026-05-08T15:16:52.397Z and modified on 2026-05-21T19:06:34.130Z. The NVD record lists affected Linux kernel ranges and a HIGH CVSS score, and the advisory text describes crash traces in kmem_cache_free() and __slab_free() when ceph_path_info is not zero-initialized. The official reference links in the corpus point to git.kernel.org stable patches. Exact fixed release versions are not stated in the supplied corpus, so remediation should follow the referenced upstream or vendor patches.

Official resources

Public disclosure in the supplied records is dated 2026-05-08T15:16:52.397Z, with a later record update on 2026-05-21T19:06:34.130Z. This debrief uses those CVE and NVD timestamps for timing context and does not infer any earlier issue date