net/rds: handle zerocopy send cleanup before the message is queued

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-43502
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-21 13:16:19 UTC
Updated2026-06-01 17:17:07 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: net/rds: handle zerocopy send cleanup before the message is queued A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket. The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue. Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages. This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.

Risk And Classification

Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000130000 probability, percentile 0.024950000 (date 2026-06-02)

VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary7.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
3.1CNADECLARED7.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 e9aefdc5c53fe9aed108c14e3d155710a1bb14c9 git Not specified
CNA Linux Linux affected 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 46662f7dc59475995609bf3e9d27eb36f4acf26f git Not specified
CNA Linux Linux affected 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 1e262db7675e27f42c3f3f47d6011855f4454f24 git Not specified
CNA Linux Linux affected 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 21d70744e6d3bbf9293aa1ee6fba7c53ad75275e git Not specified
CNA Linux Linux affected 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 3abc8983b2bae3f487f77d9da5527d7d6b210d46 git Not specified
CNA Linux Linux affected 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 14ef6fd18db2494098b21e0471bf27a1d8e9993e git Not specified
CNA Linux Linux affected 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b git Not specified
CNA Linux Linux affected 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 44b550d88b267320459d518c0743a241ab2108fa git Not specified
CNA Linux Linux affected 4.17 Not specified
CNA Linux Linux unaffected 4.17 semver Not specified
CNA Linux Linux unaffected 5.10.258 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.209 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.175 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.140 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.88 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.30 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.7 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1-rc3 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/21d70744e6d3bbf9293aa1ee6fba7c53ad75275e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/14ef6fd18db2494098b21e0471bf27a1d8e9993e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/46662f7dc59475995609bf3e9d27eb36f4acf26f 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/44b550d88b267320459d518c0743a241ab2108fa 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/3abc8983b2bae3f487f77d9da5527d7d6b210d46 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/e9aefdc5c53fe9aed108c14e3d155710a1bb14c9 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/1e262db7675e27f42c3f3f47d6011855f4454f24 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report