CVE-2026-43226 - Vulnerability Details

- net/rds: No shortcut out of RDS_CONN_ERROR

Description

In the Linux kernel, the following vulnerability has been resolved:

net/rds: No shortcut out of RDS_CONN_ERROR

RDS connections carry a state "rds_conn_path::cp_state"
and transitions from one state to another and are conditional
upon an expected state: "rds_conn_path_transition."

There is one exception to this conditionality, which is
"RDS_CONN_ERROR" that can be enforced by "rds_conn_path_drop"
regardless of what state the condition is currently in.

But as soon as a connection enters state "RDS_CONN_ERROR",
the connection handling code expects it to go through the
shutdown-path.

The RDS/TCP multipath changes added a shortcut out of
"RDS_CONN_ERROR" straight back to "RDS_CONN_CONNECTING"
via "rds_tcp_accept_one_path" (e.g. after "rds_tcp_state_change").

A subsequent "rds_tcp_reset_callbacks" can then transition
the state to "RDS_CONN_RESETTING" with a shutdown-worker queued.

That'll trip up "rds_conn_init_shutdown", which was
never adjusted to handle "RDS_CONN_RESETTING" and subsequently
drops the connection with the dreaded "DR_INV_CONN_STATE",
which leaves "RDS_SHUTDOWN_WORK_QUEUED" on forever.

So we do two things here:

a) Don't shortcut "RDS_CONN_ERROR", but take the longer
path through the shutdown code.

b) Add "RDS_CONN_RESETTING" to the expected states in
"rds_conn_init_shutdown" so that we won't error out
and get stuck, if we ever hit weird state transitions
like this again."

Published: 2026-05-06

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An error in the Linux kernel’s RDS implementation causes the state machine to bypass the normal shutdown path when a connection enters the RDS_CONN_ERROR state. The code mistakenly shortcuts from RDS_CONN_ERROR directly back to RDS_CONN_CONNECTING, and then can be forced into RDS_CONN_RESETTING, leaving a shutdown worker queued forever. This flaw creates a dead‑loop that consumes kernel resources, leading to a denial of service for systems that use the RDS stack.

Affected Systems

Any Linux kernel build that includes the RDS networking subsystem and has not applied the log of commits that restore the full shutdown sequence is vulnerable. This spans all kernel versions regulated by the identified commits. Vendor‑specific downstream patching information is not supplied in the references, so users should check whether their distribution’s kernel contains the commit 19e384a7d00d888303a8285977cdf1970c6cccd6 or the other referenced changes.

Risk and Exploitability

The CVSS base score of 7.5 indicates high impact. The EPSS score is 0.00024 (less than 1%), indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the flaw by establishing or flooding RDS connections, which is a remote network attack. Because the flaw can be exercised remotely without privilege escalation, it can be a realistic risk for servers with RDS enabled.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5916e2c1554f3e36f770401c989c3c7fadf619ca`	affected	< 9bcd7c00691a2db9745817d5ea79262a503b135c
`5916e2c1554f3e36f770401c989c3c7fadf619ca`	affected	< a179ac7be8f5a650d0068040705f4cddd6ca369c
`5916e2c1554f3e36f770401c989c3c7fadf619ca`	affected	< 19e384a7d00d888303a8285977cdf1970c6cccd6
`5916e2c1554f3e36f770401c989c3c7fadf619ca`	affected	< f0f729bdffb08af32e0f54521b81b8a9e0321f16
`5916e2c1554f3e36f770401c989c3c7fadf619ca`	affected	< 81248b1eb3c5954cc1fc7b33b7c03e34d20cb8c8
`5916e2c1554f3e36f770401c989c3c7fadf619ca`	affected	< 899ef00963ce76f9fc421a7d02335fe4ead6389b
`5916e2c1554f3e36f770401c989c3c7fadf619ca`	affected	< 9ff599a9be784a808c36765086e3db2144aa3b66
`5916e2c1554f3e36f770401c989c3c7fadf619ca`	affected	< ad22d24be635c6beab6a1fdd3f8b1f3c478d15da

Linux

affected

Version	Status	Constraints
`4.8`	affected	—
`0`	unaffected	< 4.8
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9bcd7c00691a2db9745817d5ea79262a503b135c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a179ac7be8f5a650d0068040705f4cddd6ca369c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,19e384a7d00d888303a8285977cdf1970c6cccd6)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f0f729bdffb08af32e0f54521b81b8a9e0321f16)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,81248b1eb3c5954cc1fc7b33b7c03e34d20cb8c8)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,899ef00963ce76f9fc421a7d02335fe4ead6389b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9ff599a9be784a808c36765086e3db2144aa3b66)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ad22d24be635c6beab6a1fdd3f8b1f3c478d15da)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the commit 19e384a7d00d888303a8285977cdf1970c6cccd6 and the accompanying fixes that restore the proper RDS shutdown logic.
If RDS functionality is not required, completely disable RDS in the kernel configuration or via system configuration to eliminate the attack surface.
Monitor kernel logs such as dmesg or /var/log/kern.log for the message “DR_INV_CONN_STATE” or for indicators of stuck shutdown workers; if such logs appear, reapply the patch and reboot the system.

Generated by OpenCVE AI on May 8, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00068.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/19e384a7d00d888303a8285977cdf1970c6cccd6
https://git.kernel.org/stable/c/81248b1eb3c5954cc1fc7b33b7c03e34d20cb8c8
https://git.kernel.org/stable/c/899ef00963ce76f9fc421a7d02335fe4ead6389b
https://git.kernel.org/stable/c/9bcd7c00691a2db9745817d5ea79262a503b135c
https://git.kernel.org/stable/c/9ff599a9be784a808c36765086e3db2144aa3b66
https://git.kernel.org/stable/c/a179ac7be8f5a650d0068040705f4cddd6ca369c
https://git.kernel.org/stable/c/ad22d24be635c6beab6a1fdd3f8b1f3c478d15da
https://git.kernel.org/stable/c/f0f729bdffb08af32e0f54521b81b8a9e0321f16
https://lore.kernel.org/linux-cve-announce/2026050654-CVE-2026-43226-496c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43226
https://www.cve.org/CVERecord?id=CVE-2026-43226

History

Fri, 08 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Fri, 08 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 07 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-795

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-372
References		https://lore.kernel.org/linux-cve-announce/2026050654-CVE-2026-43226-496c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43226 https://www.cve.org/CVERecord?id=CVE-2026-43226
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 06 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-795

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/rds: No shortcut out of RDS_CONN_ERROR RDS connections carry a state "rds_conn_path::cp_state" and transitions from one state to another and are conditional upon an expected state: "rds_conn_path_transition." There is one exception to this conditionality, which is "RDS_CONN_ERROR" that can be enforced by "rds_conn_path_drop" regardless of what state the condition is currently in. But as soon as a connection enters state "RDS_CONN_ERROR", the connection handling code expects it to go through the shutdown-path. The RDS/TCP multipath changes added a shortcut out of "RDS_CONN_ERROR" straight back to "RDS_CONN_CONNECTING" via "rds_tcp_accept_one_path" (e.g. after "rds_tcp_state_change"). A subsequent "rds_tcp_reset_callbacks" can then transition the state to "RDS_CONN_RESETTING" with a shutdown-worker queued. That'll trip up "rds_conn_init_shutdown", which was never adjusted to handle "RDS_CONN_RESETTING" and subsequently drops the connection with the dreaded "DR_INV_CONN_STATE", which leaves "RDS_SHUTDOWN_WORK_QUEUED" on forever. So we do two things here: a) Don't shortcut "RDS_CONN_ERROR", but take the longer path through the shutdown code. b) Add "RDS_CONN_RESETTING" to the expected states in "rds_conn_init_shutdown" so that we won't error out and get stuck, if we ever hit weird state transitions like this again."
Title		net/rds: No shortcut out of RDS_CONN_ERROR
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/19e384a7d00d888303a8285977cdf1970c6cccd6 https://git.kernel.org/stable/c/81248b1eb3c5954cc1fc7b33b7c03e34d20cb8c8 https://git.kernel.org/stable/c/899ef00963ce76f9fc421a7d02335fe4ead6389b https://git.kernel.org/stable/c/9bcd7c00691a2db9745817d5ea79262a503b135c https://git.kernel.org/stable/c/9ff599a9be784a808c36765086e3db2144aa3b66 https://git.kernel.org/stable/c/a179ac7be8f5a650d0068040705f4cddd6ca369c https://git.kernel.org/stable/c/ad22d24be635c6beab6a1fdd3f8b1f3c478d15da https://git.kernel.org/stable/c/f0f729bdffb08af32e0f54521b81b8a9e0321f16

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:24.952Z

Updated: 2026-05-11T22:20:26.671Z

Reserved: 2026-05-01T14:12:55.994Z

Link: CVE-2026-43226

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:42.393

Modified: 2026-05-08T21:17:34.370

Link: CVE-2026-43226

Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43226 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object