Skip to main content

Linux Kernel CVE-2026-43494

| EUVDEUVD-2026-31267 HIGH
Multiple Releases of Same Resource or Handle (CWE-1341)
2026-05-21 Linux GHSA-m5w6-2mrp-4227
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 13:29 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
CVE Published
May 21, 2026 - 10:49 nvd
UNKNOWN (no severity yet)
CVE Published
May 21, 2026 - 10:49 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/rds: reset op_nents when zerocopy page pin fails

When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents.

Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again.

Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().

AnalysisAI

Local privilege escalation potential in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition triggered when zerocopy page pinning fails during sendmsg() operations. The flaw, introduced in Linux 4.17, allows local authenticated users to corrupt kernel memory by exploiting an error path in rds_message_zcopy_from_user() that fails to reset op_nents, causing rds_message_purge() to free pages that were already released. Publicly available exploit code exists, though EPSS scoring is very low (0.02%) and the issue is not listed in CISA KEV.

Technical ContextAI

The vulnerability resides in net/rds/, the kernel implementation of Reliable Datagram Sockets, a transport protocol originally developed by Oracle for InfiniBand and TCP that exposes a SOCK_SEQPACKET interface to userspace. When userspace sends data with MSG_ZEROCOPY, rds_message_zcopy_from_user() calls iov_iter_get_pages2() to pin user pages into the message's scatter-gather list (op_sg) and records the count in op_nents. On failure, the cleanup path releases the pinned pages with put_page() and clears op_mmp_znotifier, but leaves op_nents non-zero. The later teardown in rds_message_purge() iterates op_nents and calls put_page() again on those same struct page pointers, producing a classic double-free of page references - a CWE-415 style use-after-free/double-free condition in kernel memory management. Affected products per the CPE data are all Linux kernel versions from 4.17 onward up to the fix commit e174929793195e0cd6a4adb0cad731b39f9019b4, which appears in the 7.1-rc4 patch series.

RemediationAI

Upstream fix available as commit e174929793195e0cd6a4adb0cad731b39f9019b4 in the 7.1-rc4 series; apply the corresponding stable-tree backport for your kernel branch (see https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353 and the sibling commits 290e833d1acb1093bc121fcdc97f5e6161157479, 640e37f58f991546a87540d067279c2c1fa9fe51, 9115669faedccdda100428e2d26fd0aac8c50799). Distribution-shipped kernels should be updated as soon as vendor packages land - track the OSS-security thread at http://www.openwall.com/lists/oss-security/2026/05/21/2 for advisory coordination. As a compensating control where patching must be deferred, blacklist the rds and rds_tcp modules via /etc/modprobe.d (install rds /bin/true) which eliminates the affected code path entirely at the cost of breaking any application that depends on AF_RDS sockets - uncommon outside Oracle DB / InfiniBand HPC deployments. Where module removal is not viable, restricting CAP_NET_RAW via seccomp or dropping it from container/service profiles raises the bar for local exploitation, though it does not close the bug for processes that legitimately hold the capability.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.145 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.162 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.176 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.125 Affected
Image SLES-Azure-Basic Image SLES-EC2 Image SLES-Hardened-BYOS-Azure Image SLES-SAPCAL-Azure Affected
SUSE Linux Enterprise Micro 5.3 Fixed

Share

CVE-2026-43494 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy