CVE-2026-43226
Analyzed Analyzed - Analysis Complete
State Transition Bypass in Linux Kernel RDS

Publication date: 2026-05-06

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: No shortcut out of RDS_CONN_ERROR RDS connections carry a state "rds_conn_path::cp_state" and transitions from one state to another and are conditional upon an expected state: "rds_conn_path_transition." There is one exception to this conditionality, which is "RDS_CONN_ERROR" that can be enforced by "rds_conn_path_drop" regardless of what state the condition is currently in. But as soon as a connection enters state "RDS_CONN_ERROR", the connection handling code expects it to go through the shutdown-path. The RDS/TCP multipath changes added a shortcut out of "RDS_CONN_ERROR" straight back to "RDS_CONN_CONNECTING" via "rds_tcp_accept_one_path" (e.g. after "rds_tcp_state_change"). A subsequent "rds_tcp_reset_callbacks" can then transition the state to "RDS_CONN_RESETTING" with a shutdown-worker queued. That'll trip up "rds_conn_init_shutdown", which was never adjusted to handle "RDS_CONN_RESETTING" and subsequently drops the connection with the dreaded "DR_INV_CONN_STATE", which leaves "RDS_SHUTDOWN_WORK_QUEUED" on forever. So we do two things here: a) Don't shortcut "RDS_CONN_ERROR", but take the longer path through the shutdown code. b) Add "RDS_CONN_RESETTING" to the expected states in "rds_conn_init_shutdown" so that we won't error out and get stuck, if we ever hit weird state transitions like this again."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43226
EUVD
EUVD-2026-27789
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.2 (inc) to 6.6.128 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.202 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.165 (exc)
linux linux_kernel From 4.8 (inc) to 5.10.252 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDS (Reliable Datagram Sockets) connection handling code. Specifically, it involves improper state transitions when an RDS connection enters the error state "RDS_CONN_ERROR." Normally, connections in this error state should follow a shutdown path. However, a shortcut was introduced that allowed the connection to bypass this shutdown path and move directly back to a connecting state. This caused the shutdown code to encounter unexpected states, leading to errors and leaving shutdown work queued indefinitely.

The fix involves two main changes: first, preventing the shortcut out of the error state so that the shutdown path is always followed; second, updating the shutdown code to recognize a new resetting state to avoid errors if unusual state transitions occur again.

Impact Analysis

This vulnerability can cause RDS connections in the Linux kernel to get stuck in an inconsistent state during error handling. Specifically, the connection handling code may fail to properly shut down connections, leaving shutdown work queued indefinitely. This can lead to resource leaks, degraded network performance, or instability in applications relying on RDS connections.

Mitigation Strategies

The vulnerability involves improper handling of RDS connection states in the Linux kernel, specifically related to the RDS_CONN_ERROR and RDS_CONN_RESETTING states.

Immediate mitigation steps would generally include updating the Linux kernel to a version where this issue is resolved, as the fix involves changes to the kernel's RDS connection state handling code.

Since no CVSS or specific mitigation commands are provided, the best immediate action is to apply the vendor's patch or update to a fixed kernel version.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart