CVE-2026-43226
Awaiting Analysis Awaiting Analysis - Queue
State Transition Bypass in Linux Kernel RDS

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: No shortcut out of RDS_CONN_ERROR RDS connections carry a state "rds_conn_path::cp_state" and transitions from one state to another and are conditional upon an expected state: "rds_conn_path_transition." There is one exception to this conditionality, which is "RDS_CONN_ERROR" that can be enforced by "rds_conn_path_drop" regardless of what state the condition is currently in. But as soon as a connection enters state "RDS_CONN_ERROR", the connection handling code expects it to go through the shutdown-path. The RDS/TCP multipath changes added a shortcut out of "RDS_CONN_ERROR" straight back to "RDS_CONN_CONNECTING" via "rds_tcp_accept_one_path" (e.g. after "rds_tcp_state_change"). A subsequent "rds_tcp_reset_callbacks" can then transition the state to "RDS_CONN_RESETTING" with a shutdown-worker queued. That'll trip up "rds_conn_init_shutdown", which was never adjusted to handle "RDS_CONN_RESETTING" and subsequently drops the connection with the dreaded "DR_INV_CONN_STATE", which leaves "RDS_SHUTDOWN_WORK_QUEUED" on forever. So we do two things here: a) Don't shortcut "RDS_CONN_ERROR", but take the longer path through the shutdown code. b) Add "RDS_CONN_RESETTING" to the expected states in "rds_conn_init_shutdown" so that we won't error out and get stuck, if we ever hit weird state transitions like this again."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43226
EUVD
EUVD-2026-27789
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's RDS (Reliable Datagram Sockets) connection handling code. Specifically, it involves improper state transitions when an RDS connection enters the error state "RDS_CONN_ERROR." Normally, connections in this error state should follow a shutdown path. However, a shortcut was introduced that allowed the connection to bypass this shutdown path and move directly back to a connecting state. This caused the shutdown code to encounter unexpected states, leading to errors and leaving shutdown work queued indefinitely.

The fix involves two main changes: first, preventing the shortcut out of the error state so that the shutdown path is always followed; second, updating the shutdown code to recognize a new resetting state to avoid errors if unusual state transitions occur again.


How can this vulnerability impact me? :

This vulnerability can cause RDS connections in the Linux kernel to get stuck in an inconsistent state during error handling. Specifically, the connection handling code may fail to properly shut down connections, leaving shutdown work queued indefinitely. This can lead to resource leaks, degraded network performance, or instability in applications relying on RDS connections.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart