CVE-2026-43502 - Vulnerability Details

- net/rds: handle zerocopy send cleanup before the message is queued

Description

In the Linux kernel, the following vulnerability has been resolved:

net/rds: handle zerocopy send cleanup before the message is queued

A zerocopy send can fail after user pages have been pinned but before
the message is attached to the sending socket.

The purge path currently infers zerocopy state from rm->m_rs, so an
unqueued message can be cleaned up as if it owned normal payload pages.
However, zerocopy ownership is really determined by the presence of
op_mmp_znotifier, regardless of whether the message has reached the
socket queue.

Capture op_mmp_znotifier up front in rds_message_purge() and use it as
the cleanup discriminator. If the message is already associated with a
socket, keep the existing completion path. Otherwise, drop the pinned
page accounting directly and release the notifier before putting the
payload pages.

This keeps early send failure cleanup consistent with the zerocopy
lifetime rules without changing the normal queued completion path.

Published: 2026-05-21

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s RDS networking stack contains a flaw in the zerocopy send cleanup logic that can misclassify a message as owning normal payload pages when the message has not yet been queued. This incorrect cleanup can drop or reuse pinned pages in violation of their intended lifetimes, potentially corrupting kernel memory and triggering a kernel panic or other instability. The impact is a denial‑of‑service condition caused by a kernel crash rather than direct data exposure or remote code execution.

Affected Systems

All Linux kernel releases that include the RDS protocol and have not yet incorporated the commit series fixing the zero‑copy send cleanup are affected. No explicit kernel version range is documented, so any installation of the RDS subsystem prior to the referenced patches should be considered vulnerable.

Risk and Exploitability

The advisory does not provide a CVSS or EPSS score, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not a current high‑risk threat. The likely attack vector is local; an attacker who can generate RDS packets or otherwise initiate a zerocopy send to the host could trigger the inconsistent cleanup and induce a kernel crash. Because the flaw leads to kernel memory corruption without a demonstrated direct code execution path, exploitation requires a local presence and is therefore considered more complex than remote exploits.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< 21d70744e6d3bbf9293aa1ee6fba7c53ad75275e
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< 3abc8983b2bae3f487f77d9da5527d7d6b210d46
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< 14ef6fd18db2494098b21e0471bf27a1d8e9993e
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< 0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b
`0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3`	affected	< 44b550d88b267320459d518c0743a241ab2108fa

Linux

affected

Version	Status	Constraints
`4.17`	affected	—
`0`	unaffected	< 4.17
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc3`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3,21d70744e6d3bbf9293aa1ee6fba7c53ad75275e)`	affected	code_commit	—
`[0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3,3abc8983b2bae3f487f77d9da5527d7d6b210d46)`	affected	code_commit	—
`[0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3,14ef6fd18db2494098b21e0471bf27a1d8e9993e)`	affected	code_commit	—
`[0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3,0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b)`	affected	code_commit	—
`[0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3,44b550d88b267320459d518c0743a241ab2108fa)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.17`	affected	generic	—
`[0,4.17)`	unaffected	generic	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the patch for the RDS zerocopy send cleanup bug.
If an immediate kernel upgrade is not feasible, disable the RDS protocol (e.g., set the sysctl net.rds.enabled=0, unload the rds module, or block RDS traffic with firewall rules).
Monitor kernel logs such as dmesg and /var/log/kern.log for signs of RDS‑related crashes or memory corruption and apply patches or mitigations as soon as they become available.

Generated by OpenCVE AI on May 21, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b
https://git.kernel.org/stable/c/14ef6fd18db2494098b21e0471bf27a1d8e9993e
https://git.kernel.org/stable/c/21d70744e6d3bbf9293aa1ee6fba7c53ad75275e
https://git.kernel.org/stable/c/3abc8983b2bae3f487f77d9da5527d7d6b210d46
https://git.kernel.org/stable/c/44b550d88b267320459d518c0743a241ab2108fa

History

Thu, 21 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416 CWE-590

Thu, 21 May 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/rds: handle zerocopy send cleanup before the message is queued A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket. The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue. Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages. This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.
Title		net/rds: handle zerocopy send cleanup before the message is queued
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b https://git.kernel.org/stable/c/14ef6fd18db2494098b21e0471bf27a1d8e9993e https://git.kernel.org/stable/c/21d70744e6d3bbf9293aa1ee6fba7c53ad75275e https://git.kernel.org/stable/c/3abc8983b2bae3f487f77d9da5527d7d6b210d46 https://git.kernel.org/stable/c/44b550d88b267320459d518c0743a241ab2108fa

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-21T12:17:50.444Z

Updated: 2026-05-21T12:17:50.444Z

Reserved: 2026-05-01T14:12:56.014Z

Link: CVE-2026-43502

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-21T13:16:19.520

Modified: 2026-05-21T13:16:19.520

Link: CVE-2026-43502

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-21T16:45:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object