CVE-2026-46066

Name of the Vulnerable Software and Affected Versions Linux kernel versions 6.18.16 Linux kernel version 6.19.6 Linux kernel version 7.0-rc1

Description An off-by-one error exists in the Ceph component of the Linux kernel. The issue occurs when move dirty folio in page array() fails to allocate a bounce buffer for ciphertext in an encrypted file, and the dirty folio is not the first in the batch. In this scenario, ceph process folio batch() increments the ceph wbc->num ops variable but fails to add the discontiguous folio to the array. Consequently, ceph submit write() encounters a mismatch between the expected number of contiguous ranges and the actual operations, leading to a kernel panic. This can be triggered by writing to fscrypt-enabled CephFS files using a specific write pattern under high memory pressure.

Recommendations Update Linux kernel version 6.18.16 to a version where the ceph wbc->num ops decrement fix is applied. Update Linux kernel version 6.19.6 to a version where the ceph wbc->num ops decrement fix is applied. Update Linux kernel version 7.0-rc1 to a version where the ceph wbc->num ops decrement fix is applied.