CVE-2026-52961

Source
https://cve.org/CVERecord?id=CVE-2026-52961
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52961.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52961
Downstream
Published
2026-06-24T16:28:41.836Z
Modified
2026-07-12T03:55:01.970655812Z
Summary
ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size
Details

In the Linux kernel, the following vulnerability has been resolved:

ceph: fix BUG_ON in _cephbuildxattrsblob() due to stale blob size

The generic/642 test-case can reproduce the kernel crash:

[40243.605254] ------------[ cut here ]------------ [40243.605956] kernel BUG at fs/ceph/xattr.c:918! [40243.607142] Oops: invalid opcode: 0000 [#1] SMP PTI [40243.608067] CPU: 7 UID: 0 PID: 498762 Comm: kworker/7:1 Not tainted 7.0.0-rc7+ #3 PREEMPT(full) [40243.609700] Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [40243.611820] Workqueue: ceph-msgr cephconworkfn [40243.612715] RIP: 0010:__cephbuildxattrs_blob+0x1b8/0x1e0 [40243.613731] Code: 0f 84 82 fe ff ff e9 cf 8e 56 ff 48 8d 65 e8 31 c0 5b 41 5c 41 5d 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc <0f> 0b 4c 8b 62 08 41 8b 85 24 07 00 00 49 83 c4 04 41 89 44 24 fc [40243.616888] RSP: 0018:ffffcc80c4d4b688 EFLAGS: 00010287 [40243.617773] RAX: 0000000000010026 RBX: 0000000000000001 RCX: 0000000000000000 [40243.618928] RDX: ffff8a773798dee0 RSI: 0000000000000000 RDI: 0000000000000000 [40243.620158] RBP: ffffcc80c4d4b6a0 R08: 0000000000000000 R09: 0000000000000000 [40243.621573] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a75f3b58000 [40243.622907] R13: ffff8a75f3b58000 R14: 0000000000000080 R15: 000000000000bffd [40243.624054] FS: 0000000000000000(0000) GS:ffff8a787d1b4000(0000) knlGS:0000000000000000 [40243.625331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [40243.626269] CR2: 000072f390b623c0 CR3: 000000011c02a003 CR4: 0000000000372ef0 [40243.627408] Call Trace: [40243.627839] <TASK> [40243.628188] __prepcap+0x3fd/0x4a0 [40243.628789] ? dorawspinunlock+0x4e/0xe0 [40243.629474] cephcheckcaps+0x46a/0xc80 [40243.630094] ? __lockacquire+0x4a2/0x2650 [40243.630773] ? findheldlock+0x31/0x90 [40243.631347] ? handlecapgrant+0x79f/0x1060 [40243.632068] ? lockrelease+0xd9/0x300 [40243.632696] ? __mutexunlockslowpath+0x3e/0x340 [40243.633429] ? lockrelease+0xd9/0x300 [40243.634052] handlecapgrant+0xcf6/0x1060 [40243.634745] cephhandlecaps+0x122b/0x2110 [40243.635415] mdsdispatch+0x5bd/0x2160 [40243.636034] ? cephconprocessmessage+0x65/0x190 [40243.636828] ? lockrelease+0xd9/0x300 [40243.637431] cephconprocessmessage+0x7a/0x190 [40243.638184] ? kfree+0x311/0x4f0 [40243.638749] ? kfree+0x311/0x4f0 [40243.639268] processmessage+0x16/0x1a0 [40243.639915] ? sgfreetable+0x39/0x90 [40243.640572] cephconv2tryread+0xf58/0x2120 [40243.641255] ? lockacquire+0xc8/0x300 [40243.641863] cephconworkfn+0x151/0x820 [40243.642493] processonework+0x22f/0x630 [40243.643093] ? processonework+0x254/0x630 [40243.643770] workerthread+0x1e2/0x400 [40243.644332] ? __pfxworkerthread+0x10/0x10 [40243.645020] kthread+0x109/0x140 [40243.645560] ? __pfxkthread+0x10/0x10 [40243.646125] retfrom_fork+0x3f8/0x480 [40243.646752] ? __pfx_kthread+0x10/0x10 [40243.647316] ? __pfxkthread+0x10/0x10 [40243.647919] retfromforkasm+0x1a/0x30 [40243.648556] </TASK> [40243.648902] Modules linked in: overlay hctr2 libpolyval chacha libchacha adiantum libnh libpoly1305 essiv intelraplmsr intelraplcommon inteluncorefrequencycommon skxedaccommon nfit kvmintel kvm irqbypass joydev ghashclmulniintel aesniintel rapl inputleds machid psmouse vga16fb serioraw vgastate floppy i2cpiix4 pataacpi bochs qemufwcfg i2csmbus schfqcodel rbd dmcrypt msr parportpc ppdev lp parport efipstore [40243.654766] ---[ end trace 0000000000000000 ]---

Commit d93231a6bc8a ("ceph: prevent a client from exceeding the MDS maximum xattr size") moved the requiredblobsize computation to before the _buildxattrs() call, introducing a race.

__buildxattrs() releases and reacquires iceph_lock during execution. In that window, handlecapgrant() may update ixattrs.blob with a newer MDS-provided blob and bump ixattrs.version. When __bui ---truncated---

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52961.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d93231a6bc8a452323d5fef16cca7107ce483a27
Fixed
7eb72425c4e3234926502eb262f9d6193ccd572c
Fixed
d5bd8b4e39cfa8b087448adcd48088065cd629d5
Fixed
368d21ae9081c93497b1c8163bed3eddcb2443ff
Fixed
0c22d9511cbde746622f8e4c11aaa63fe76d45f9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52961.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52961.json"