CVE-2026-43502
Analyzed Analyzed - Analysis Complete

Linux Kernel Zerocopy Send Cleanup Vulnerability

Publication date: 2026-05-21

Last updated on: 2026-06-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: handle zerocopy send cleanup before the message is queued A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket. The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue. Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages. This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-21
Last Modified
2026-06-26
Generated
2026-07-01
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-29
NVD
CVE-2026-43502
EUVD
EUVD-2026-31275

Affected Vendors & Products

Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.88 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 4.17 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDS (Reliable Datagram Sockets) networking code related to zerocopy send operations.

A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket. The cleanup process incorrectly infers zerocopy state based on whether the message is queued, which can lead to improper cleanup of pinned pages.

The fix involves capturing the zerocopy notifier state earlier during message purge and using it to correctly determine how to clean up pinned pages, ensuring consistency with zerocopy lifetime rules.

Impact Analysis

If this vulnerability is exploited or triggered, it could lead to improper cleanup of memory pages pinned for zerocopy sends.

This might cause resource leaks or memory corruption in the kernel, potentially leading to system instability or crashes.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by properly handling zerocopy send cleanup before the message is queued. To mitigate this vulnerability, you should update your Linux kernel to the version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43502. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart