{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46052","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.094Z","datePublished":"2026-05-27T12:57:10.777Z","dateUpdated":"2026-06-19T11:59:10.158Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-19T11:59:10.158Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nceph: only d_add() negative dentries when they are unhashed\n\nCeph can call d_add(dentry, NULL) on a negative dentry that is already\npresent in the primary dcache hash.\n\nIn the current VFS that is not safe.  d_add() goes through __d_add()\nto __d_rehash(), which unconditionally reinserts dentry->d_hash into\nthe hlist_bl bucket.  If the dentry is already hashed, reinserting the\nsame node can corrupt the bucket, including creating a self-loop.\nOnce that happens, __d_lookup() can spin forever in the hlist_bl walk,\ntypically looping only on the d_name.hash mismatch check and\neventually triggering RCU stall reports like this one:\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu:         87-....: (2100 ticks this GP) idle=3a4c/1/0x4000000000000000 softirq=25003319/25003319 fqs=829\n rcu:         (t=2101 jiffies g=79058445 q=698988 ncpus=192)\n CPU: 87 UID: 2952868916 PID: 3933303 Comm: php-cgi8.3 Not tainted 6.18.17-i1-amd #950 NONE\n Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.6 09/22/2023\n RIP: 0010:__d_lookup+0x46/0xb0\n Code: c1 e8 07 48 8d 04 c2 48 8b 00 49 89 fc 49 89 f5 48 89 c3 48 83 e3 fe 48 83 f8 01 77 0f eb 2d 0f 1f 44 00 00 48 8b 1b 48 85 db <74> 20 39 6b 18 75 f3 48 8d 7b 78 e8 ba 85 d0 00 4c 39 63 10 74 1f\n RSP: 0018:ff745a70c8253898 EFLAGS: 00000282\n RAX: ff26e470054cb208 RBX: ff26e470054cb208 RCX: 000000006e958966\n RDX: ff26e48267340000 RSI: ff745a70c82539b0 RDI: ff26e458f74655c0\n RBP: 000000006e958966 R08: 0000000000000180 R09: 9cd08d909b919a89\n R10: ff26e458f74655c0 R11: 0000000000000000 R12: ff26e458f74655c0\n R13: ff745a70c82539b0 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f\n FS:  00007f5770896980(0000) GS:ff26e482c5d88000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f5764de50c0 CR3: 000000a72abb5001 CR4: 0000000000771ef0\n PKRU: 55555554\n Call Trace:\n  <TASK>\n  lookup_fast+0x9f/0x100\n  walk_component+0x1f/0x150\n  link_path_walk+0x20e/0x3d0\n  path_lookupat+0x68/0x180\n  filename_lookup+0xdc/0x1e0\n  vfs_statx+0x6c/0x140\n  vfs_fstatat+0x67/0xa0\n  __do_sys_newfstatat+0x24/0x60\n  do_syscall_64+0x6a/0x230\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is reachable with reused cached negative dentries.  A Ceph lookup\nor atomic_open can be handed a negative dentry that is already hashed,\nand fs/ceph/dir.c then hits one of two paths that incorrectly assume\n\"negative\" also means \"unhashed\":\n\n  - ceph_finish_lookup():\n      MDS reply is -ENOENT with no trace\n      -> d_add(dentry, NULL)\n\n  - ceph_lookup():\n      local ENOENT fast path for a complete directory with shared caps\n      -> d_add(dentry, NULL)\n\nBoth paths can therefore re-add an already-hashed negative dentry.\n\nCeph already uses the correct pattern elsewhere: ceph_fill_trace() only\ncalls d_add(dn, NULL) for a negative null-dentry reply when d_unhashed(dn)\nis true.\n\nFix both fs/ceph/dir.c sites the same way: only call d_add() for a\nnegative dentry when it is actually unhashed.  If the negative dentry\nis already hashed, leave it in place and reuse it as-is.\n\nThis preserves the existing behavior for unhashed dentries while\navoiding d_hash list corruption for reused hashed negatives."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ceph/dir.c"],"versions":[{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"4147ae08824cc8b65d2b2018f79d416af2937108","status":"affected","versionType":"git"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"73b47a1f06dee5e61b00dee5227d75d3f1f6d977","status":"affected","versionType":"git"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"79ffcbeac6bc1dc1bcdb0434acf250f6215ec111","status":"affected","versionType":"git"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"83ce43a21bb7df8dd52228afdd918d2d058eefde","status":"affected","versionType":"git"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"4179cc390dacebc87079419ec92f86f3dc46294d","status":"affected","versionType":"git"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"b91e535f208c48a5e7464f1aa38338a30e7912df","status":"affected","versionType":"git"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"2010cb06b9df7d3c816c78358c566bdacbdf38ff","status":"affected","versionType":"git"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"803447f93d75ab6e40c85e6d12b5630d281d70d6","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ceph/dir.c"],"versions":[{"version":"2.6.34","status":"affected"},{"version":"0","lessThan":"2.6.34","status":"unaffected","versionType":"semver"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"5.10.259"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"5.15.210"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.1.176"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.12.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.18.27"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"7.0.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4147ae08824cc8b65d2b2018f79d416af2937108"},{"url":"https://git.kernel.org/stable/c/73b47a1f06dee5e61b00dee5227d75d3f1f6d977"},{"url":"https://git.kernel.org/stable/c/79ffcbeac6bc1dc1bcdb0434acf250f6215ec111"},{"url":"https://git.kernel.org/stable/c/83ce43a21bb7df8dd52228afdd918d2d058eefde"},{"url":"https://git.kernel.org/stable/c/4179cc390dacebc87079419ec92f86f3dc46294d"},{"url":"https://git.kernel.org/stable/c/b91e535f208c48a5e7464f1aa38338a30e7912df"},{"url":"https://git.kernel.org/stable/c/2010cb06b9df7d3c816c78358c566bdacbdf38ff"},{"url":"https://git.kernel.org/stable/c/803447f93d75ab6e40c85e6d12b5630d281d70d6"}],"title":"ceph: only d_add() negative dentries when they are unhashed","x_generator":{"engine":"bippy-1.2.0"}}}}