HIGHCVE-2026-43494Published Modified CNA Linux
CVE-2026-43494: net/rds: reset op_nents when zerocopy page pin fails
In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
00bbbff00a15b1df2cac9014d6cf4b6890f473353290e833d1acb1093bc121fcdc97f5e61611574796.6.1416.12.916.18.33640e37f58f991546a87540d067279c2c1fa9fe517.0.107.1-rc49115669faedccdda100428e2d26fd0aac8c50799e174929793195e0cd6a4adb0cad731b39f9019b4
Affected packages
- Linux / Linux< 9115669faedccdda100428e2d26fd0aac8c50799 (from 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3) · < 0bbbff00a15b1df2cac9014d6cf4b6890f473353 (from 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3) · < 640e37f58f991546a87540d067279c2c1fa9fe51 (from 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3) · < 290e833d1acb1093bc121fcdc97f5e6161157479 (from 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3) · < e174929793195e0cd6a4adb0cad731b39f9019b4 (from 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3)
- Linux / Linux4.17Fixed in 0, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1-rc4
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H