Description
In the Linux kernel, the following vulnerability has been resolved:

net/rds: handle zerocopy send cleanup before the message is queued

A zerocopy send can fail after user pages have been pinned but before
the message is attached to the sending socket.

The purge path currently infers zerocopy state from rm->m_rs, so an
unqueued message can be cleaned up as if it owned normal payload pages.
However, zerocopy ownership is really determined by the presence of
op_mmp_znotifier, regardless of whether the message has reached the
socket queue.

Capture op_mmp_znotifier up front in rds_message_purge() and use it as
the cleanup discriminator. If the message is already associated with a
socket, keep the existing completion path. Otherwise, drop the pinned
page accounting directly and release the notifier before putting the
payload pages.

This keeps early send failure cleanup consistent with the zerocopy
lifetime rules without changing the normal queued completion path.
Published: 2026-05-21
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s RDS networking stack contains a logic error in the cleanup path for zero‑copy sends that can fail after user pages have been pinned but before the message is queued. The current implementation assumes a zerocopy state based on an indicator that is only valid for queued messages, so unqueued messages may be cleaned up as if they owned regular payload pages. This misinterpretation leads to incorrect handling of pinned pages, potentially resulting in memory corruption or kernel instability. The flaw is catalogued as CWE‑459, indicating an improper use of state that can corrupt kernel data structures.

Affected Systems

Any Linux kernel installation that includes the RDS protocol and does not contain the series of commits that introduce the patch is affected. The advisory does not specify a version range, so all kernels that have the RDS subsystem prior to the referenced fixes should be considered vulnerable.

Risk and Exploitability

The CVSS score of 7.8 reflects high severity, while the EPSS score of < 1 % indicates a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would likely require a local or privileged attacker who can send RDS packets that trigger a zero‑copy send failure, leading to improper cleanup and potential kernel instability.

Generated by OpenCVE AI on May 30, 2026 at 13:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the RDS zerocopy send cleanup fix.
  • If a kernel upgrade is not immediately possible, disable the RDS protocol (for example, set sysctl net.rds.enabled=0, unload the rds module, or block RDS traffic with firewall rules).
  • Continuously monitor kernel logs (e.g., dmesg, /var/log/kern.log) for RDS‑related warnings or errors and apply patches or mitigations as soon as they become available.

Generated by OpenCVE AI on May 30, 2026 at 13:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 22 May 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-590

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-459
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 21 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-590

Thu, 21 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/rds: handle zerocopy send cleanup before the message is queued A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket. The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue. Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages. This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.
Title net/rds: handle zerocopy send cleanup before the message is queued
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-01T16:16:11.767Z

Reserved: 2026-05-01T14:12:56.014Z

Link: CVE-2026-43502

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-21T13:16:19.520

Modified: 2026-06-01T17:17:07.490

Link: CVE-2026-43502

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-21T00:00:00Z

Links: CVE-2026-43502 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:45:24Z

Weaknesses