PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43420 Linux CVE debrief

CVE-2026-43420 describes a race in the Linux kernel Ceph client during asynchronous unlink handling. The issue can cause the inode link count (`i_nlink`) to be decremented after it has already been updated to zero by a concurrent completion or capability update, which can trigger a kernel WARNING in `drop_nlink()`. The source description ties the problem to the async unlink path in `ceph_unlink()`, where unlink submission is issued before completion is received. If another client, or the completion of the same unlink, updates the inode state first, the later decrement can underrun the counter. The described impact is kernel warning/log noise and inconsistent inode accounting behavior in the Ceph client path.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-12
Advisory published
2026-05-08
Advisory updated
2026-05-12

Who should care

Linux distribution maintainers, kernel operators, and teams running Ceph-mounted filesystems on Linux should pay attention, especially if async unlink activity is common or kernel warnings are monitored as service-impact signals.

Technical summary

The vulnerable path is in the Linux kernel Ceph client. During async unlink, `ceph_unlink()` submits `CEPH_MDS_OP_UNLINK` and does not wait for completion before calling `drop_nlink()`. In the window between submission and the local decrement, worker-thread processing of capability grants, imports, or the unlink reply can run `set_nlink()` and update the inode link count. If that updated value is already zero, the subsequent decrement in `drop_nlink()` underruns the counter and can emit a WARNING at `fs/inode.c:407`. The source description says the fix is to avoid decrementing when the count is already zero, with locking around `i_nlink` updates using `ceph_inode_info.i_ceph_lock` to prevent TOCTOU races.

Defensive priority

Medium

Recommended defensive actions

  • Apply the upstream/stable Linux kernel fix for CVE-2026-43420 in any kernel that includes the Ceph client async unlink path.
  • Prioritize patching hosts that mount Ceph filesystems and generate frequent unlink activity, since the issue is in the Ceph client path.
  • Review kernel logs for `drop_nlink()` warnings and Ceph unlink-related stack traces as indicators of exposure.
  • Validate vendor kernel backports against the referenced stable kernel fixes before rollout.
  • If you maintain custom Ceph client or kernel changes, avoid ad hoc workarounds and align with the locking-based fix described in the source record.

Evidence notes

The supplied CVE description states that the Linux kernel Ceph client can underrun `i_nlink` during async unlink when concurrent worker activity updates the inode before `drop_nlink()` runs, producing a WARNING in `drop_nlink+0x50/0x68`. The CVE record was published on 2026-05-08 and modified on 2026-05-12; NVD listed the item as undergoing analysis in the supplied source snapshot. The record includes multiple upstream/stable kernel references, supporting that a kernel-side fix exists or was tracked in stable branches.

Official resources

Public CVE record published on 2026-05-08T15:16:54.023Z; the supplied NVD snapshot shows the entry still undergoing analysis as of 2026-05-12T14:10:27.343Z.