CVE-2026-43494
Modified Modified - Updated After Analysis

Linux Kernel Memory Corruption in RDS Protocol

Vulnerability report for CVE-2026-43494, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-21

Last updated on: 2026-06-30

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-21
Last Modified
2026-06-30
Generated
2026-07-07
AI Q&A
2026-05-21
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.2 (inc) to 6.6.141 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.91 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.33 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 4.17 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1341 The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDS (Reliable Datagram Sockets) networking code. Specifically, when the function iov_iter_get_pages2() fails during the operation rds_message_zcopy_from_user(), the pinned pages are released correctly, but a counter named op_nents is not properly reset. Later, when the cleanup function rds_message_purge() is called, it incorrectly assumes that op_nents is non-zero and attempts to free resources again, which can lead to improper memory handling.

Impact Analysis

The improper resetting of op_nents can cause the cleanup code to free memory resources multiple times. This can lead to memory corruption, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service.

Mitigation Strategies

The vulnerability in the Linux kernel related to improper resetting of op_nents in the RDS subsystem has been resolved by a patch that properly resets op_nents when iov_iter_get_pages2() fails.

To mitigate this vulnerability immediately, you should update your Linux kernel to the fixed version released on or after 2026-05-21 that includes this patch.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43494. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart