Ceph Kernel Vulnerability in Linux Kernel Affects Multiple Systems
CVE-2026-43408

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-43408?

A vulnerability in the Ceph functionalities of the Linux kernel can lead to system crashes due to uninitialized memory in the ceph_path_info structure. When the ceph_mdsc_build_path() function is called without initializing this structure, it risks triggering random crashes or potentially allowing privilege escalation through improper handling of failed path build operations. This flaw arises because some callers of ceph_mdsc_build_path() do not properly initialize their parameters, which results in unsafe calls to ceph_mdsc_free_path_info() following a failed execution. A patch has been implemented to ensure that this structure is initialized correctly in all relevant functions.

Affected Version(s)

Linux db378e6f83ec705c6091c65d482d555edc2b0a72 < 644b47f0574fd82aeb9d00317eca8d1f2a525c8c

Linux 15f519e9f883b316d86e2bb6b767a023aafd9d83 < 8be8911f590813e6f90bc6407ced1b23e50bc5da

Linux 15f519e9f883b316d86e2bb6b767a023aafd9d83 < 453df1f4535842bf17ff1885a225e153d7ee3374

References

https://git.kernel.org/stable/c/644b47f0574fd82aeb9d00317...

https://git.kernel.org/stable/c/8be8911f590813e6f90bc6407...

https://git.kernel.org/stable/c/453df1f4535842bf17ff1885a...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43408 Data

JSON