HIGHCVE-2026-46053Published Modified CNA Linux
CVE-2026-46053: net: rds: fix MR cleanup on copy error
In the Linux kernel, the following vulnerability has been resolved: net: rds: fix MR cleanup on copy error __rds_rdma_map() hands sg/pages ownership to the transport after get_mr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference. Remove the duplicate unpin/free from the put_user() failure branch so that MR teardown is handled only through the existing final cleanup path.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
0033370ffb3c9c0264d19f8ba9ef769523266589a6.6.1406.12.866.18.277.0.47.1-rc18141a2dc70080eda1aedc0389ed2db2b292af5bd8fdbb6262a4a3ed44a0830a7793903b54bb27bdcb3cb8cae530b2727d8245684148bb49425f6765cd95cea9298be1ba8876e3f156be96d3a492085ca
Affected packages
- Linux / Linux< 8fdbb6262a4a3ed44a0830a7793903b54bb27bdc (from 0d4597c8c5abdeeaf50774066c16683f30184dc8) · < d95cea9298be1ba8876e3f156be96d3a492085ca (from 0d4597c8c5abdeeaf50774066c16683f30184dc8) · < 033370ffb3c9c0264d19f8ba9ef769523266589a (from 0d4597c8c5abdeeaf50774066c16683f30184dc8) · < b3cb8cae530b2727d8245684148bb49425f6765c (from 0d4597c8c5abdeeaf50774066c16683f30184dc8) · < 8141a2dc70080eda1aedc0389ed2db2b292af5bd (from 0d4597c8c5abdeeaf50774066c16683f30184dc8)
- Linux / Linux5.6Fixed in 0, 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H