CVE-2026-43502
Received Received - Intake
Linux Kernel Zerocopy Send Cleanup Vulnerability

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: handle zerocopy send cleanup before the message is queued A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket. The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue. Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages. This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-05-21
AI Q&A
2026-05-21
EPSS Evaluated
N/A
NVD
CVE-2026-43502
EUVD
EUVD-2026-31275
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's RDS (Reliable Datagram Sockets) networking code related to zerocopy send operations.

A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket. The cleanup process incorrectly infers zerocopy state based on whether the message is queued, which can lead to improper cleanup of pinned pages.

The fix involves capturing the zerocopy notifier state earlier during message purge and using it to correctly determine how to clean up pinned pages, ensuring consistency with zerocopy lifetime rules.


How can this vulnerability impact me? :

If this vulnerability is exploited or triggered, it could lead to improper cleanup of memory pages pinned for zerocopy sends.

This might cause resource leaks or memory corruption in the kernel, potentially leading to system instability or crashes.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by properly handling zerocopy send cleanup before the message is queued. To mitigate this vulnerability, you should update your Linux kernel to the version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart