PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46066 Linux CVE debrief

A kernel panic vulnerability exists in the Linux kernel's CephFS client when handling encrypted file writeback. The issue stems from an off-by-one error in `ceph_wbc->num_ops` accounting when bounce buffer allocation fails during multi-folio encrypted writeback operations. Specifically, when `move_dirty_folio_in_page_array()` fails due to memory pressure on a non-first folio in a batch, `ceph_process_folio_batch()` increments `num_ops` for a new extent but then fails to add the discontiguous folio to the array. This causes `ceph_submit_write()` to trigger a `BUG_ON()` panic when the operation index does not match the expected number of operations. The vulnerability was introduced by commit cac190c7674f and unmasked in kernel versions 6.18.16, 6.19.6, and 7.0-rc1 when a separate bug fix enabled multi-folio encrypted writeback. The underlying defect has existed since 2022. Exploitation requires fscrypt-enabled CephFS with specific write patterns (4KiB written/4KiB skipped) under memory pressure conditions. The fix decrements `num_ops` when a new extent is started but the folio fails to be added to the batch.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux kernels 6.18.16, 6.19.6, or 7.0-rc1 with CephFS and fscrypt encryption enabled; Ceph storage administrators; Linux distribution security teams; cloud infrastructure providers offering Ceph-based storage with encryption; security operations teams monitoring for kernel stability issues

Technical summary

The vulnerability is an off-by-one accounting error in the CephFS client's writeback path. When processing encrypted folio batches, `ceph_process_folio_batch()` increments `ceph_wbc->num_ops` when encountering a discontiguous dirty folio, indicating a new write extent operation will be needed. If `move_dirty_folio_in_page_array()` subsequently fails due to bounce buffer allocation failure (possible under memory pressure), the folio is redirtied for future retry but is not added to the current batch. However, `num_ops` is not decremented, leaving it one higher than the actual number of contiguous ranges in the batch. When `ceph_submit_write()` executes, its `BUG_ON(ceph_wbc->op_idx + 1 != req->r_num_ops)` assertion fails because the operation index tracking does not match the inflated `num_ops` value, causing a kernel panic. The fix adds a decrement of `num_ops` when this specific failure condition occurs on a newly-started extent.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable tree commits 6200f41d6fcf, a0d9555bf9ea, and ba12c1e57889 when available for your distribution
  • Prioritize patching systems running kernel 6.18.16, 6.19.6, or 7.0-rc1 with CephFS fscrypt encryption enabled
  • Monitor for kernel panic traces containing 'BUG_ON(ceph_wbc->op_idx + 1 != req->r_num_ops)' as indicator of exploitation attempt
  • Consider memory pressure monitoring on CephFS clients with encrypted workloads to detect conditions favorable to trigger
  • Review CephFS writeback patterns and consider workload adjustments if patching is delayed
  • Validate backup and recovery procedures for CephFS encrypted data given potential for system instability

Evidence notes

The CVE description provides detailed technical analysis including the specific BUG_ON trigger, affected code paths (ceph_process_folio_batch, ceph_submit_write, move_dirty_folio_in_page_array), and reproduction conditions (fscrypt-enabled CephFS, 4KiB write/skip pattern, memory pressure). Three kernel.org stable tree commits are referenced as fixes. The vulnerability status is 'Awaiting Analysis' per NVD.

Official resources

The vulnerability was disclosed via the Linux kernel stable tree on 2026-05-27. The issue represents a regression introduced when multi-folio encrypted writeback was enabled, exposing a pre-existing accounting defect. The kernel panic is 0.