Home

Description

In the Linux kernel, the following vulnerability has been resolved: net/rds: No shortcut out of RDS_CONN_ERROR RDS connections carry a state "rds_conn_path::cp_state" and transitions from one state to another and are conditional upon an expected state: "rds_conn_path_transition." There is one exception to this conditionality, which is "RDS_CONN_ERROR" that can be enforced by "rds_conn_path_drop" regardless of what state the condition is currently in. But as soon as a connection enters state "RDS_CONN_ERROR", the connection handling code expects it to go through the shutdown-path. The RDS/TCP multipath changes added a shortcut out of "RDS_CONN_ERROR" straight back to "RDS_CONN_CONNECTING" via "rds_tcp_accept_one_path" (e.g. after "rds_tcp_state_change"). A subsequent "rds_tcp_reset_callbacks" can then transition the state to "RDS_CONN_RESETTING" with a shutdown-worker queued. That'll trip up "rds_conn_init_shutdown", which was never adjusted to handle "RDS_CONN_RESETTING" and subsequently drops the connection with the dreaded "DR_INV_CONN_STATE", which leaves "RDS_SHUTDOWN_WORK_QUEUED" on forever. So we do two things here: a) Don't shortcut "RDS_CONN_ERROR", but take the longer path through the shutdown code. b) Add "RDS_CONN_RESETTING" to the expected states in "rds_conn_init_shutdown" so that we won't error out and get stuck, if we ever hit weird state transitions like this again."

PUBLISHED Reserved 2026-05-01 | Published 2026-05-06 | Updated 2026-05-08 | Assigner Linux




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Product status

Default status
unaffected

5916e2c1554f3e36f770401c989c3c7fadf619ca (git) before 9bcd7c00691a2db9745817d5ea79262a503b135c
affected

5916e2c1554f3e36f770401c989c3c7fadf619ca (git) before a179ac7be8f5a650d0068040705f4cddd6ca369c
affected

5916e2c1554f3e36f770401c989c3c7fadf619ca (git) before 19e384a7d00d888303a8285977cdf1970c6cccd6
affected

5916e2c1554f3e36f770401c989c3c7fadf619ca (git) before f0f729bdffb08af32e0f54521b81b8a9e0321f16
affected

5916e2c1554f3e36f770401c989c3c7fadf619ca (git) before 81248b1eb3c5954cc1fc7b33b7c03e34d20cb8c8
affected

5916e2c1554f3e36f770401c989c3c7fadf619ca (git) before 899ef00963ce76f9fc421a7d02335fe4ead6389b
affected

5916e2c1554f3e36f770401c989c3c7fadf619ca (git) before 9ff599a9be784a808c36765086e3db2144aa3b66
affected

5916e2c1554f3e36f770401c989c3c7fadf619ca (git) before ad22d24be635c6beab6a1fdd3f8b1f3c478d15da
affected

Default status
affected

4.8
affected

Any version before 4.8
unaffected

5.10.252 (semver)
unaffected

5.15.202 (semver)
unaffected

6.1.165 (semver)
unaffected

6.6.128 (semver)
unaffected

6.12.75 (semver)
unaffected

6.18.16 (semver)
unaffected

6.19.6 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/9bcd7c00691a2db9745817d5ea79262a503b135c

git.kernel.org/...c/a179ac7be8f5a650d0068040705f4cddd6ca369c

git.kernel.org/...c/19e384a7d00d888303a8285977cdf1970c6cccd6

git.kernel.org/...c/f0f729bdffb08af32e0f54521b81b8a9e0321f16

git.kernel.org/...c/81248b1eb3c5954cc1fc7b33b7c03e34d20cb8c8

git.kernel.org/...c/899ef00963ce76f9fc421a7d02335fe4ead6389b

git.kernel.org/...c/9ff599a9be784a808c36765086e3db2144aa3b66

git.kernel.org/...c/ad22d24be635c6beab6a1fdd3f8b1f3c478d15da

cve.org (CVE-2026-43226)

nvd.nist.gov (CVE-2026-43226)

Download JSON