CVE-2026-43494 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net/rds: reset op_nents when zerocopy page pin fails

When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
the pinned pages are released with put_page(), and
rm->data.op_mmp_znotifier is cleared. But we fail to properly
clear rm->data.op_nents.

Later when rds_message_purge() is called from rds_sendmsg() the
cleanup loop iterates over the incorrectly non zero number of
op_nents and frees them again.

Fix this by properly resetting op_nents when it should be in
rds_message_zcopy_from_user().

Published: 2026-05-21

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel fails to reset the op_nents counter when a zerocopy page pinning operation fails. This oversight causes the subsequent cleanup routine to iterate over an incorrect non‑zero count, freeing memory pages that were already released. The resulting double free can lead to kernel memory corruption, which in a privileged environment can be leveraged to run arbitrary code with kernel privileges. The vulnerability is therefore a severe kernel-level bug that, if exploited, could allow an attacker to execute code with elevated privileges.

Affected Systems

All Linux kernel distributions are impacted, including the generic Linux kernel. No specific version range is listed, so any kernel build that compiled RDS without the patch may be vulnerable. Updating to a kernel release that incorporates the upstream patch (commit c/e1749297…) is required to remediate the issue.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not catalogued in CISA KEV, indicating no publicly documented exploitation at this time. However, the flaw affects kernel memory management, a critical component that raises the impact of exploitation to high. The CVSS score is not specified, but the nature of the bug suggests a potentially high severity. Without evidence of active exploitation, the likelihood remains uncertain, but the risk of a privileged escalation scenario warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< e174929793195e0cd6a4adb0cad731b39f9019b4

Linux

affected

Version	Status	Constraints
`4.17`	affected	—
`0`	unaffected	< 4.17
`7.1-rc4`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3,e174929793195e0cd6a4adb0cad731b39f9019b4)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.17`	affected	generic	—
`[0,4.17)`	unaffected	generic	—
`[7.1-rc4,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Linux kernel patch that resets op_nents when zerocopy page pin fails (e.g., the commit referenced in the advisory).
Reboot the system to load the updated kernel and ensure the operating system boots from the patched image.
Verify that the RDS functionality is operating correctly or consider disabling RDS if it is not required for your environment to reduce potential attack surface.

Generated by OpenCVE AI on May 21, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/21/2
https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4

History

Thu, 21 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/21/2

Thu, 21 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416 CWE-795

Thu, 21 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().
Title		net/rds: reset op_nents when zerocopy page pin fails
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-21T10:49:21.310Z

Updated: 2026-05-21T15:04:20.704Z

Reserved: 2026-05-01T14:12:56.013Z

Link: CVE-2026-43494

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-21T12:16:19.957

Modified: 2026-05-21T16:16:23.157

Link: CVE-2026-43494

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-21T13:00:10Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object