CVE-2026-46052
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
19/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ceph: only d_add() negative dentries when they are unhashed<br />
<br />
Ceph can call d_add(dentry, NULL) on a negative dentry that is already<br />
present in the primary dcache hash.<br />
<br />
In the current VFS that is not safe. d_add() goes through __d_add()<br />
to __d_rehash(), which unconditionally reinserts dentry->d_hash into<br />
the hlist_bl bucket. If the dentry is already hashed, reinserting the<br />
same node can corrupt the bucket, including creating a self-loop.<br />
Once that happens, __d_lookup() can spin forever in the hlist_bl walk,<br />
typically looping only on the d_name.hash mismatch check and<br />
eventually triggering RCU stall reports like this one:<br />
<br />
rcu: INFO: rcu_sched self-detected stall on CPU<br />
rcu: 87-....: (2100 ticks this GP) idle=3a4c/1/0x4000000000000000 softirq=25003319/25003319 fqs=829<br />
rcu: (t=2101 jiffies g=79058445 q=698988 ncpus=192)<br />
CPU: 87 UID: 2952868916 PID: 3933303 Comm: php-cgi8.3 Not tainted 6.18.17-i1-amd #950 NONE<br />
Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.6 09/22/2023<br />
RIP: 0010:__d_lookup+0x46/0xb0<br />
Code: c1 e8 07 48 8d 04 c2 48 8b 00 49 89 fc 49 89 f5 48 89 c3 48 83 e3 fe 48 83 f8 01 77 0f eb 2d 0f 1f 44 00 00 48 8b 1b 48 85 db 20 39 6b 18 75 f3 48 8d 7b 78 e8 ba 85 d0 00 4c 39 63 10 74 1f<br />
RSP: 0018:ff745a70c8253898 EFLAGS: 00000282<br />
RAX: ff26e470054cb208 RBX: ff26e470054cb208 RCX: 000000006e958966<br />
RDX: ff26e48267340000 RSI: ff745a70c82539b0 RDI: ff26e458f74655c0<br />
RBP: 000000006e958966 R08: 0000000000000180 R09: 9cd08d909b919a89<br />
R10: ff26e458f74655c0 R11: 0000000000000000 R12: ff26e458f74655c0<br />
R13: ff745a70c82539b0 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f<br />
FS: 00007f5770896980(0000) GS:ff26e482c5d88000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007f5764de50c0 CR3: 000000a72abb5001 CR4: 0000000000771ef0<br />
PKRU: 55555554<br />
Call Trace:<br />
<br />
lookup_fast+0x9f/0x100<br />
walk_component+0x1f/0x150<br />
link_path_walk+0x20e/0x3d0<br />
path_lookupat+0x68/0x180<br />
filename_lookup+0xdc/0x1e0<br />
vfs_statx+0x6c/0x140<br />
vfs_fstatat+0x67/0xa0<br />
__do_sys_newfstatat+0x24/0x60<br />
do_syscall_64+0x6a/0x230<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
<br />
This is reachable with reused cached negative dentries. A Ceph lookup<br />
or atomic_open can be handed a negative dentry that is already hashed,<br />
and fs/ceph/dir.c then hits one of two paths that incorrectly assume<br />
"negative" also means "unhashed":<br />
<br />
- ceph_finish_lookup():<br />
MDS reply is -ENOENT with no trace<br />
-> d_add(dentry, NULL)<br />
<br />
- ceph_lookup():<br />
local ENOENT fast path for a complete directory with shared caps<br />
-> d_add(dentry, NULL)<br />
<br />
Both paths can therefore re-add an already-hashed negative dentry.<br />
<br />
Ceph already uses the correct pattern elsewhere: ceph_fill_trace() only<br />
calls d_add(dn, NULL) for a negative null-dentry reply when d_unhashed(dn)<br />
is true.<br />
<br />
Fix both fs/ceph/dir.c sites the same way: only call d_add() for a<br />
negative dentry when it is actually unhashed. If the negative dentry<br />
is already hashed, leave it in place and reuse it as-is.<br />
<br />
This preserves the existing behavior for unhashed dentries while<br />
avoiding d_hash list corruption for reused hashed negatives.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.34.1 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.86 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.27 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.4 (excluding) |
| cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2010cb06b9df7d3c816c78358c566bdacbdf38ff
- https://git.kernel.org/stable/c/4147ae08824cc8b65d2b2018f79d416af2937108
- https://git.kernel.org/stable/c/4179cc390dacebc87079419ec92f86f3dc46294d
- https://git.kernel.org/stable/c/73b47a1f06dee5e61b00dee5227d75d3f1f6d977
- https://git.kernel.org/stable/c/79ffcbeac6bc1dc1bcdb0434acf250f6215ec111
- https://git.kernel.org/stable/c/803447f93d75ab6e40c85e6d12b5630d281d70d6
- https://git.kernel.org/stable/c/83ce43a21bb7df8dd52228afdd918d2d058eefde
- https://git.kernel.org/stable/c/b91e535f208c48a5e7464f1aa38338a30e7912df



