CVE-2026-43494 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().

PUBLISHED Reserved 2026-05-01 | Published 2026-05-21 | Updated 2026-05-23 | Assigner Linux

Product status

Default status

unaffected

0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 (git) before 9115669faedccdda100428e2d26fd0aac8c50799

affected

0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 (git) before 0bbbff00a15b1df2cac9014d6cf4b6890f473353

affected

0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 (git) before 640e37f58f991546a87540d067279c2c1fa9fe51

affected

0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 (git) before 290e833d1acb1093bc121fcdc97f5e6161157479

affected

0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 (git) before e174929793195e0cd6a4adb0cad731b39f9019b4

affected

Default status

affected

4.17

affected

Any version before 4.17

unaffected

6.6.141 (semver)

unaffected

6.12.91 (semver)

unaffected

6.18.33 (semver)

unaffected

7.0.10 (semver)

unaffected

7.1-rc4 (original_commit_for_fix)

unaffected

References

www.openwall.com/lists/oss-security/2026/05/21/2

git.kernel.org/...c/9115669faedccdda100428e2d26fd0aac8c50799

git.kernel.org/...c/0bbbff00a15b1df2cac9014d6cf4b6890f473353

git.kernel.org/...c/640e37f58f991546a87540d067279c2c1fa9fe51

git.kernel.org/...c/290e833d1acb1093bc121fcdc97f5e6161157479

git.kernel.org/...c/e174929793195e0cd6a4adb0cad731b39f9019b4

cve.org (CVE-2026-43494)

nvd.nist.gov (CVE-2026-43494)

Download JSON

help @ threatint.eu