CVE-2026-43502

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
21/05/2026
Last modified:
26/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/rds: handle zerocopy send cleanup before the message is queued<br /> <br /> A zerocopy send can fail after user pages have been pinned but before<br /> the message is attached to the sending socket.<br /> <br /> The purge path currently infers zerocopy state from rm-&gt;m_rs, so an<br /> unqueued message can be cleaned up as if it owned normal payload pages.<br /> However, zerocopy ownership is really determined by the presence of<br /> op_mmp_znotifier, regardless of whether the message has reached the<br /> socket queue.<br /> <br /> Capture op_mmp_znotifier up front in rds_message_purge() and use it as<br /> the cleanup discriminator. If the message is already associated with a<br /> socket, keep the existing completion path. Otherwise, drop the pinned<br /> page accounting directly and release the notifier before putting the<br /> payload pages.<br /> <br /> This keeps early send failure cleanup consistent with the zerocopy<br /> lifetime rules without changing the normal queued completion path.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.17 (including) 5.10.258 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.209 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.175 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.88 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.30 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.7 (excluding)
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*