CVE-2026-46052 Overview
CVE-2026-46052 is a Linux kernel vulnerability in the Ceph filesystem client. The flaw exists in fs/ceph/dir.c, where the code calls d_add(dentry, NULL) on negative dentries that may already be hashed in the primary dcache hash table. Reinserting an already-hashed dentry into the hlist_bl bucket corrupts the linked list and can create a self-loop. Once corrupted, __d_lookup() spins indefinitely walking the bucket, producing RCU stalls and a denial-of-service condition on the affected CPU.
Critical Impact
Local users with access to a Ceph-mounted filesystem can trigger dcache hash list corruption, leading to RCU stalls, kernel soft-lockups, and process hangs on affected CPUs.
Affected Products
- Linux kernel Ceph client (fs/ceph/dir.c)
- Kernel version 6.18.17 confirmed in the reported stall trace
- Stable kernel branches receiving the backported fix referenced in the linked commits
Discovery Timeline
- 2026-05-27 - CVE-2026-46052 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46052
Vulnerability Analysis
The Ceph client incorrectly assumes that a negative dentry is also unhashed. The Virtual File System (VFS) layer requires that d_add() only be invoked on unhashed dentries because __d_add() calls __d_rehash(), which unconditionally inserts dentry->d_hash into the corresponding hlist_bl bucket. Reinserting an already-linked node corrupts the bucket and can create a circular reference where a node points to itself.
After corruption, any concurrent dcache lookup entering __d_lookup() walks the bucket and never terminates. The CPU spins on the d_name.hash comparison, eventually triggering rcu_sched self-detected stall warnings. The reported trace shows the stall originating from __d_lookup+0x46/0xb0 called via lookup_fast, walk_component, and path_lookupat during a newfstatat syscall.
Root Cause
Two code paths in fs/ceph/dir.c re-add already-hashed negative dentries. The first is ceph_finish_lookup(), which calls d_add(dentry, NULL) when the Metadata Server (MDS) reply returns -ENOENT without a trace. The second is ceph_lookup(), which uses a local ENOENT fast path for complete directories holding shared caps and also calls d_add(dentry, NULL). Neither path verifies that the dentry is unhashed before reinsertion.
Attack Vector
A local user performing repeated lookups of non-existent paths under a Ceph mount can cause cached negative dentries to be revisited through these paths. When a reused negative dentry is already hashed, the resulting d_add() corrupts the dcache hash bucket. Subsequent path lookups by any process on the same CPU bucket hang in __d_lookup(). The behavior denies filesystem access and can destabilize multi-tenant systems that rely on Ceph for shared storage.
The fix mirrors the existing pattern used in ceph_fill_trace(): both call sites now invoke d_add(dentry, NULL) only when d_unhashed(dentry) returns true. Otherwise the negative dentry is reused in place. Refer to the upstream patches for the full code change, including Linux Kernel Commit 2010cb0 and Linux Kernel Commit b91e535.
Detection Methods for CVE-2026-46052
Indicators of Compromise
- Kernel log entries containing rcu: INFO: rcu_sched self-detected stall on CPU with the faulting RIP at __d_lookup
- Soft-lockup or hung-task warnings referencing lookup_fast, walk_component, or path_lookupat in the call trace
- Processes accessing Ceph mounts that become stuck in uninterruptible sleep (D state) during stat or open syscalls
Detection Strategies
- Monitor dmesg and /var/log/messages for RCU stall messages whose stack traces include __d_lookup and Ceph-related frames
- Compare running kernel versions against the patched stable releases referenced in the upstream commits
- Correlate filesystem hang events with CPU pinning patterns, since corruption is localized to the affected hash bucket and CPU
Monitoring Recommendations
- Forward kernel logs from Ceph clients to a centralized SIEM and alert on rcu_sched self-detected stall patterns
- Track process state transitions to detect tasks blocked for extended periods on Ceph mount points
- Enable softlockup_panic or hung_task_panic in controlled environments to capture diagnostic crash dumps for analysis
How to Mitigate CVE-2026-46052
Immediate Actions Required
- Apply the upstream Ceph dentry handling patches to the running kernel and reboot affected hosts
- Audit Linux kernel versions across Ceph client systems and prioritize patching for hosts with high lookup volume on Ceph mounts
- Restrict untrusted local access to Ceph mount points until kernels are updated
Patch Information
The fix is upstreamed across multiple stable branches. Apply the kernel update containing the relevant commit for your branch: Linux Kernel Commit 2010cb0, Linux Kernel Commit 4179cc3, Linux Kernel Commit 803447f, Linux Kernel Commit 83ce43a, and Linux Kernel Commit b91e535. The patch guards both ceph_finish_lookup() and ceph_lookup() with a d_unhashed() check before calling d_add(dentry, NULL).
Workarounds
- No reliable runtime workaround exists; the corruption depends on dcache reuse patterns that are not directly controllable from user space
- Reduce exposure by limiting workloads that aggressively stat non-existent paths on Ceph mounts until the patch is applied
- Reboot affected hosts to clear any latent dcache corruption after applying the kernel update
# Verify the running kernel version and confirm the patch is applied
uname -r
rpm -q kernel || dpkg -l | grep linux-image
# Check kernel logs for prior stall events involving __d_lookup
dmesg -T | grep -E 'rcu_sched self-detected stall|__d_lookup'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
