CVE-2026-43494 - Vulnerability Details

- net/rds: reset op_nents when zerocopy page pin fails

Description

In the Linux kernel, the following vulnerability has been resolved:

net/rds: reset op_nents when zerocopy page pin fails

When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
the pinned pages are released with put_page(), and
rm->data.op_mmp_znotifier is cleared. But we fail to properly
clear rm->data.op_nents.

Later when rds_message_purge() is called from rds_sendmsg() the
cleanup loop iterates over the incorrectly non zero number of
op_nents and frees them again.

Fix this by properly resetting op_nents when it should be in
rds_message_zcopy_from_user().

Published: 2026-05-21

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel fails to reset the op_nents counter when a zerocopy page pinning operation fails. This omission causes the subsequent cleanup routine to iterate over a count that is incorrectly non‑zero, freeing memory pages that were already released. The double free can corrupt kernel memory, potentially leading to instability or other unintended behavior. This is a kernel memory corruption vulnerability.

Affected Systems

All Linux kernel builds that include the RDS subsystem but do not contain the patch that resets op_nents are affected. No specific version range is provided, so any kernel that compiles RDS without the fix may be vulnerable.

Risk and Exploitability

The EPSS score is under 1%, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly documented exploitation. The CVSS score of 7.8 reflects the potential impact of kernel memory corruption. The description does not specify an attack vector, so the exact path of exploitation remains unclear.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< c6e51512a784c4a7b86e1a044988696e3b3721fa
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< 03014551938a0887fa55f18ce49b70158a9c0113
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< d84ce1786ce40fdd3dd98db47aec5527817e1ef6
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< 9115669faedccdda100428e2d26fd0aac8c50799
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< 0bbbff00a15b1df2cac9014d6cf4b6890f473353
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< 640e37f58f991546a87540d067279c2c1fa9fe51
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< 290e833d1acb1093bc121fcdc97f5e6161157479
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< e174929793195e0cd6a4adb0cad731b39f9019b4

Linux

affected

Version	Status	Constraints
`4.17`	affected	—
`0`	unaffected	< 4.17
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1-rc4`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3,e174929793195e0cd6a4adb0cad731b39f9019b4)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.17`	affected	generic	—
`[0,4.17)`	unaffected	generic	—
`[7.1-rc4,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that resets op_nents when zerocopy page pin fails (commit c/e1749297 from the Linux kernel source).
Reboot the system so that the updated kernel image is used.
If the RDS subsystem is not required, disable the module to remove the vulnerable code from memory.

Generated by OpenCVE AI on May 30, 2026 at 13:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6305-1	linux security update
Ubuntu USN	USN-8370-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8371-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8373-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8374-1	Linux kernel vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/21/2
https://git.kernel.org/stable/c/03014551938a0887fa55f18ce49b70158a9c0113
https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353
https://git.kernel.org/stable/c/290e833d1acb1093bc121fcdc97f5e6161157479
https://git.kernel.org/stable/c/640e37f58f991546a87540d067279c2c1fa9fe51
https://git.kernel.org/stable/c/9115669faedccdda100428e2d26fd0aac8c50799
https://git.kernel.org/stable/c/c6e51512a784c4a7b86e1a044988696e3b3721fa
https://git.kernel.org/stable/c/d84ce1786ce40fdd3dd98db47aec5527817e1ef6
https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4
https://lore.kernel.org/linux-cve-announce/2026052130-CVE-2026-43494-a65a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43494
https://www.cve.org/CVERecord?id=CVE-2026-43494

History

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/03014551938a0887fa55f18ce49b70158a9c0113 https://git.kernel.org/stable/c/c6e51512a784c4a7b86e1a044988696e3b3721fa https://git.kernel.org/stable/c/d84ce1786ce40fdd3dd98db47aec5527817e1ef6

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Sat, 23 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353 https://git.kernel.org/stable/c/290e833d1acb1093bc121fcdc97f5e6161157479 https://git.kernel.org/stable/c/640e37f58f991546a87540d067279c2c1fa9fe51 https://git.kernel.org/stable/c/9115669faedccdda100428e2d26fd0aac8c50799

Fri, 22 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416 CWE-795

Fri, 22 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1341
References		https://lore.kernel.org/linux-cve-announce/2026052130-CVE-2026-43494-a65a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43494 https://www.cve.org/CVERecord?id=CVE-2026-43494
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Thu, 21 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/21/2

Thu, 21 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416 CWE-795

Thu, 21 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().
Title		net/rds: reset op_nents when zerocopy page pin fails
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-21T10:49:21.310Z

Updated: 2026-06-01T16:15:54.326Z

Reserved: 2026-05-01T14:12:56.013Z

Link: CVE-2026-43494

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-21T12:16:19.957

Modified: 2026-06-01T17:17:05.383

Link: CVE-2026-43494

Redhat

Severity : Important

Publid Date: 2026-05-21T00:00:00Z

Links: CVE-2026-43494 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-30T13:15:24Z

Weaknesses

CWE-1341
Multiple Releases of Same Resource or Handle

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object