Description
In the Linux kernel, the following vulnerability has been resolved:

net: rds: fix MR cleanup on copy error

__rds_rdma_map() hands sg/pages ownership to the transport after
get_mr() succeeds. If copying the generated cookie back to user space
fails after that point, the error path must not free those resources
again before dropping the MR reference.

Remove the duplicate unpin/free from the put_user() failure branch so
that MR teardown is handled only through the existing final cleanup
path.
Published: 2026-05-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug in the Linux kernel's RDS transport involves __rds_rdma_map() incorrectly handing ownership of sg/pages to the transport after a successful get_mr(). When copying the resulting cookie back to user space fails, the code previously freed those resources again, resulting in a duplicate unpin and free. This double‑free can corrupt kernel memory or cause a crash. The flaw is characterized as a resource mismanagement vulnerability (CWE‑763).

Affected Systems

All Linux kernel builds with RDS support before the patch, including the 5.6 release‑candidate series (rc3–rc7). Systems running these kernels and with RDS enabled are vulnerable until the fix is applied.

Risk and Exploitability

With a CVSS score of 7.8 the vulnerability is medium to high severity. The EPSS score of less than 1% indicates a very low chance of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves triggering an RDS resource allocation followed by a failure to copy the cookie to user space, which may be induced by malformed or malicious RDS traffic from within network reach or by local exploitation when RDS is enabled. Until patched, the risk of kernel memory corruption or a denial‑of‑service attack exists.

Generated by OpenCVE AI on June 18, 2026 at 07:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that removes the duplicate unpin/free or upgrade to a kernel release that contains the fix.
  • If upgrading is not immediately possible, disable RDS support in the kernel configuration (e.g., set CONFIG_RDS=n) or unload the rds module at runtime.
  • Monitor system logs for RDS copy errors and avoid running untrusted code that could trigger the MR allocation path until the fix is in place.

Generated by OpenCVE AI on June 18, 2026 at 07:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:5.6:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.6:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.6:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.6:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.6:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.6:rc7:*:*:*:*:*:*

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: rds: fix MR cleanup on copy error __rds_rdma_map() hands sg/pages ownership to the transport after get_mr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference. Remove the duplicate unpin/free from the put_user() failure branch so that MR teardown is handled only through the existing final cleanup path.
Title net: rds: fix MR cleanup on copy error
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:50:56.216Z

Reserved: 2026-05-13T15:03:33.094Z

Link: CVE-2026-46053

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:24.937

Modified: 2026-06-17T10:52:59.187

Link: CVE-2026-46053

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46053 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T07:45:03Z

Weaknesses