CVE-2026-46053 - Vulnerability Details

- net: rds: fix MR cleanup on copy error

Description

In the Linux kernel, the following vulnerability has been resolved:

net: rds: fix MR cleanup on copy error

__rds_rdma_map() hands sg/pages ownership to the transport after
get_mr() succeeds. If copying the generated cookie back to user space
fails after that point, the error path must not free those resources
again before dropping the MR reference.

Remove the duplicate unpin/free from the put_user() failure branch so
that MR teardown is handled only through the existing final cleanup
path.

Published: 2026-05-27

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The rds transport in the Linux kernel incorrectly performs a duplicate unpin and free when an MR allocation succeeds but a subsequent copy of the cookie to user space fails. This double‑free path can corrupt kernel memory or cause a crash, as the transport tries to release resources it no longer owns. The flaw falls under CWE‑763, highlighting resource mismanagement.

Affected Systems

All Linux kernel builds that include RDS support and are affected by the bug, prior to the commit that removes the duplicate unpin/free. No specific kernel version list is provided, so any kernel with RDS enabled before the patch is vulnerable.

Risk and Exploitability

The CVSS score of 7.0 signals a medium‑to‑high severity. Based on the description, the likely attack vector is causing an RDS MR allocation followed by a failure to copy the generated cookie to user space, which could be triggered by malicious RDS traffic from an attacker within network reach or by privileged kernel code. The EPSS score is not available, which indicates that the exploitation probability is not known. The vulnerability is not listed in the CISA KEV catalogue, implying a lower likelihood of widespread exploitation. Nonetheless, the risk of kernel memory corruption or denial‑of‑service warrants immediate remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0d4597c8c5abdeeaf50774066c16683f30184dc8`	affected	< 8fdbb6262a4a3ed44a0830a7793903b54bb27bdc
`0d4597c8c5abdeeaf50774066c16683f30184dc8`	affected	< d95cea9298be1ba8876e3f156be96d3a492085ca
`0d4597c8c5abdeeaf50774066c16683f30184dc8`	affected	< 033370ffb3c9c0264d19f8ba9ef769523266589a
`0d4597c8c5abdeeaf50774066c16683f30184dc8`	affected	< b3cb8cae530b2727d8245684148bb49425f6765c
`0d4597c8c5abdeeaf50774066c16683f30184dc8`	affected	< 8141a2dc70080eda1aedc0389ed2db2b292af5bd

Linux

affected

Version	Status	Constraints
`5.6`	affected	—
`0`	unaffected	< 5.6
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0d4597c8c5abdeeaf50774066c16683f30184dc8,8fdbb6262a4a3ed44a0830a7793903b54bb27bdc)`	affected	code_commit	—
`[0d4597c8c5abdeeaf50774066c16683f30184dc8,d95cea9298be1ba8876e3f156be96d3a492085ca)`	affected	code_commit	—
`[0d4597c8c5abdeeaf50774066c16683f30184dc8,033370ffb3c9c0264d19f8ba9ef769523266589a)`	affected	code_commit	—
`[0d4597c8c5abdeeaf50774066c16683f30184dc8,b3cb8cae530b2727d8245684148bb49425f6765c)`	affected	code_commit	—
`[0d4597c8c5abdeeaf50774066c16683f30184dc8,8141a2dc70080eda1aedc0389ed2db2b292af5bd)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.6`	affected	generic	—
`[0,5.6)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that removes the duplicate unpin/free, or upgrade to a kernel release that contains the fix.
If an upgrade is not possible, disable RDS support in the kernel configuration (e.g., set CONFIG_RDS=n) or unload the rds module at runtime.
Monitor system logs for RDS copy errors and avoid running untrusted code that may trigger the MR allocation path until a fix is applied.

Generated by OpenCVE AI on May 28, 2026 at 06:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/033370ffb3c9c0264d19f8ba9ef769523266589a
https://git.kernel.org/stable/c/8141a2dc70080eda1aedc0389ed2db2b292af5bd
https://git.kernel.org/stable/c/8fdbb6262a4a3ed44a0830a7793903b54bb27bdc
https://git.kernel.org/stable/c/b3cb8cae530b2727d8245684148bb49425f6765c
https://git.kernel.org/stable/c/d95cea9298be1ba8876e3f156be96d3a492085ca
https://lore.kernel.org/linux-cve-announce/2026052754-CVE-2026-46053-a24e@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46053
https://www.cve.org/CVERecord?id=CVE-2026-46053

History

Thu, 28 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-415

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-763
References		https://lore.kernel.org/linux-cve-announce/2026052754-CVE-2026-46053-a24e@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46053 https://www.cve.org/CVERecord?id=CVE-2026-46053
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Wed, 27 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-415

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: rds: fix MR cleanup on copy error __rds_rdma_map() hands sg/pages ownership to the transport after get_mr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference. Remove the duplicate unpin/free from the put_user() failure branch so that MR teardown is handled only through the existing final cleanup path.
Title		net: rds: fix MR cleanup on copy error
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/033370ffb3c9c0264d19f8ba9ef769523266589a https://git.kernel.org/stable/c/8141a2dc70080eda1aedc0389ed2db2b292af5bd https://git.kernel.org/stable/c/8fdbb6262a4a3ed44a0830a7793903b54bb27bdc https://git.kernel.org/stable/c/b3cb8cae530b2727d8245684148bb49425f6765c https://git.kernel.org/stable/c/d95cea9298be1ba8876e3f156be96d3a492085ca

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:57:11.870Z

Updated: 2026-05-27T12:57:11.870Z

Reserved: 2026-05-13T15:03:33.094Z

Link: CVE-2026-46053

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:24.937

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46053

Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46053 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T06:15:10Z

Weaknesses

CWE-763

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object