CVE-2026-43408: Linux Kernel Privilege Escalation Flaw

CVE-2026-43408 Overview

CVE-2026-43408 is a kernel vulnerability in the Linux Ceph distributed filesystem client. Several callers of ceph_mdsc_build_path() pass a ceph_path_info structure that is not zero-initialized. When the build function fails, the subsequent call to ceph_mdsc_free_path_info() operates on uninitialized stack memory and triggers slab allocator corruption.

Observed crashes on Linux 6.18.12 include virt_to_cache: Object is not a Slab page! warnings, kmem_cache_free failures, and a kernel BUG at mm/slub.c:634 invalid opcode oops in __slab_free. The upstream commit message notes the bug may be exploitable for local privilege escalation.

Critical Impact

Local users on systems mounting Ceph filesystems can trigger kernel slab corruption through filesystem operations such as open(), leading to denial of service and potential privilege escalation.

Affected Products

• Linux kernel Ceph client (fs/ceph)
• Confirmed crash reproduction on Linux 6.18.12
• Stable branches receiving backports per commits 43323a59, 453df1f4, 644b47f0, and 8be8911f

Discovery Timeline

• 2026-05-08 - CVE-2026-43408 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43408

Vulnerability Analysis

The Ceph client uses ceph_mdsc_build_path() to construct a path string for the metadata server. The function takes a pointer to a ceph_path_info structure that it populates with allocated memory and length fields. On success the structure is fully initialized, but on error paths the function returns without touching the structure.

Callers consistently invoke ceph_mdsc_free_path_info() even when ceph_mdsc_build_path() fails. The free routine reads pointer and cache fields from the structure to determine what to release. When those fields contain uninitialized stack data, the kernel attempts to free arbitrary addresses through kmem_cache_free().

The crash trace shows the freed object passing through cache_from_obj, which detects a slab cache mismatch (names_cache but object is from ceph_inode_info) before the slab allocator aborts with a BUG. An attacker who controls stack contents prior to the failed call may direct the free at an address of their choosing.

Root Cause

The regression originated in commit 15f519e9f883 ("ceph: fix race condition validating r_parent before applying state"), which added ceph_path_info parameters to several call sites. Some call sites declared the structure with an initializer; others did not. The fixed callers include paths reachable from ceph_open() and do_dentry_open(), which any local user can invoke by opening a file on a mounted Ceph volume.

Attack Vector

Exploitation requires local access and the ability to perform filesystem operations against a Ceph mount. The attacker triggers an error in ceph_mdsc_build_path(), after which the caller invokes ceph_mdsc_free_path_info() against a stack-resident structure containing attacker-influenced residual values. The result is a controlled call into the slab freelist machinery, which can corrupt kernel memory state.

No public proof-of-concept is associated with this CVE. The upstream patch series adds explicit {} initializers at every affected call site, eliminating the uninitialized read.

Detection Methods for CVE-2026-43408

Indicators of Compromise

• Kernel log entries containing virt_to_cache: Object is not a Slab page! originating from a ceph_open or path_openat call chain
• cache_from_obj: Wrong slab cache warnings referencing names_cache and ceph_inode_info
• kernel BUG at mm/slub.c:634 or invalid opcode oops at __slab_free+0x1a4/0x350 on hosts that mount Ceph
• Unexpected process termination or kernel panic when user workloads open files on a Ceph filesystem

Detection Strategies

• Collect kernel ring buffer output (dmesg, journalctl -k) from Ceph clients and alert on slab allocator warnings and BUG conditions
• Inventory hosts running affected kernel versions with the in-tree Ceph client loaded (lsmod | grep ceph)
• Correlate kernel oops events with the user identity and process performing filesystem operations to surface possible exploitation attempts

Monitoring Recommendations

• Forward kernel logs from Ceph client hosts to a centralized logging or SIEM pipeline for retention and pattern matching
• Track kernel package versions through configuration management to identify hosts still running pre-patch builds
• Monitor for repeated ceph_open failures from non-administrative users, which may indicate probing of the error path

How to Mitigate CVE-2026-43408

Immediate Actions Required

• Install the stable kernel update that includes commits 43323a5934b6, 453df1f45358, 644b47f0574f, or 8be8911f5908 for your branch
• Reboot Ceph client hosts after upgrade so the patched fs/ceph module is loaded
• Restrict shell and container access on Ceph clients to trusted users until patches are deployed

Patch Information

The fix adds zero initializers (struct ceph_path_info path_info = {};) at every call site that invokes ceph_mdsc_build_path() followed by ceph_mdsc_free_path_info(). Apply the kernel update from your distribution that backports the upstream commits referenced in the Kernel git Commit 43323a5, Kernel git Commit 453df1f4, Kernel git Commit 644b47f0, and Kernel git Commit 8be8911f.

Workarounds

• Unmount Ceph filesystems on hosts that cannot be patched immediately and serve workloads through user-space alternatives such as libcephfs or rbd-nbd until the kernel is updated
• Limit CAP_SYS_ADMIN-less local users from accessing Ceph mounts by restricting mount points with noexec, container policies, or namespace isolation
• Enable kernel hardening options such as slab_nomerge and init_on_free=1 to reduce the predictability of uninitialized stack content and slab reuse

# Verify kernel version and confirm the patched fs/ceph is loaded
uname -r
modinfo ceph | grep -E '^(filename|version|srcversion):'

# Restrict access to Ceph mount points pending patch deployment
mount | grep ' type ceph '
chmod 0750 /mnt/cephfs