In the Linux kernel, the following vulnerability has been resolved:
ceph: fix BUG_ON in _cephbuildxattrsblob() due to stale blob size
The generic/642 test-case can reproduce the kernel crash:
[40243.605254] ------------[ cut here ]------------ [40243.605956] kernel BUG at fs/ceph/xattr.c:918! [40243.607142] Oops: invalid opcode: 0000 [#1] SMP PTI [40243.608067] CPU: 7 UID: 0 PID: 498762 Comm: kworker/7:1 Not tainted 7.0.0-rc7+ #3 PREEMPT(full) [40243.609700] Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [40243.611820] Workqueue: ceph-msgr cephconworkfn [40243.612715] RIP: 0010:__cephbuildxattrs_blob+0x1b8/0x1e0 [40243.613731] Code: 0f 84 82 fe ff ff e9 cf 8e 56 ff 48 8d 65 e8 31 c0 5b 41 5c 41 5d 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc <0f> 0b 4c 8b 62 08 41 8b 85 24 07 00 00 49 83 c4 04 41 89 44 24 fc [40243.616888] RSP: 0018:ffffcc80c4d4b688 EFLAGS: 00010287 [40243.617773] RAX: 0000000000010026 RBX: 0000000000000001 RCX: 0000000000000000 [40243.618928] RDX: ffff8a773798dee0 RSI: 0000000000000000 RDI: 0000000000000000 [40243.620158] RBP: ffffcc80c4d4b6a0 R08: 0000000000000000 R09: 0000000000000000 [40243.621573] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a75f3b58000 [40243.622907] R13: ffff8a75f3b58000 R14: 0000000000000080 R15: 000000000000bffd [40243.624054] FS: 0000000000000000(0000) GS:ffff8a787d1b4000(0000) knlGS:0000000000000000 [40243.625331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [40243.626269] CR2: 000072f390b623c0 CR3: 000000011c02a003 CR4: 0000000000372ef0 [40243.627408] Call Trace: [40243.627839] <TASK> [40243.628188] __prepcap+0x3fd/0x4a0 [40243.628789] ? dorawspinunlock+0x4e/0xe0 [40243.629474] cephcheckcaps+0x46a/0xc80 [40243.630094] ? __lockacquire+0x4a2/0x2650 [40243.630773] ? findheldlock+0x31/0x90 [40243.631347] ? handlecapgrant+0x79f/0x1060 [40243.632068] ? lockrelease+0xd9/0x300 [40243.632696] ? __mutexunlockslowpath+0x3e/0x340 [40243.633429] ? lockrelease+0xd9/0x300 [40243.634052] handlecapgrant+0xcf6/0x1060 [40243.634745] cephhandlecaps+0x122b/0x2110 [40243.635415] mdsdispatch+0x5bd/0x2160 [40243.636034] ? cephconprocessmessage+0x65/0x190 [40243.636828] ? lockrelease+0xd9/0x300 [40243.637431] cephconprocessmessage+0x7a/0x190 [40243.638184] ? kfree+0x311/0x4f0 [40243.638749] ? kfree+0x311/0x4f0 [40243.639268] processmessage+0x16/0x1a0 [40243.639915] ? sgfreetable+0x39/0x90 [40243.640572] cephconv2tryread+0xf58/0x2120 [40243.641255] ? lockacquire+0xc8/0x300 [40243.641863] cephconworkfn+0x151/0x820 [40243.642493] processonework+0x22f/0x630 [40243.643093] ? processonework+0x254/0x630 [40243.643770] workerthread+0x1e2/0x400 [40243.644332] ? __pfxworkerthread+0x10/0x10 [40243.645020] kthread+0x109/0x140 [40243.645560] ? __pfxkthread+0x10/0x10 [40243.646125] retfrom_fork+0x3f8/0x480 [40243.646752] ? __pfx_kthread+0x10/0x10 [40243.647316] ? __pfxkthread+0x10/0x10 [40243.647919] retfromforkasm+0x1a/0x30 [40243.648556] </TASK> [40243.648902] Modules linked in: overlay hctr2 libpolyval chacha libchacha adiantum libnh libpoly1305 essiv intelraplmsr intelraplcommon inteluncorefrequencycommon skxedaccommon nfit kvmintel kvm irqbypass joydev ghashclmulniintel aesniintel rapl inputleds machid psmouse vga16fb serioraw vgastate floppy i2cpiix4 pataacpi bochs qemufwcfg i2csmbus schfqcodel rbd dmcrypt msr parportpc ppdev lp parport efipstore [40243.654766] ---[ end trace 0000000000000000 ]---
Commit d93231a6bc8a ("ceph: prevent a client from exceeding the MDS maximum xattr size") moved the requiredblobsize computation to before the _buildxattrs() call, introducing a race.
__buildxattrs() releases and reacquires iceph_lock during execution. In that window, handlecapgrant() may update ixattrs.blob with a newer MDS-provided blob and bump ixattrs.version. When __bui ---truncated---
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52961.json",
"cna_assigner": "Linux"
}