Skip to main content

Linux Kernel EUVDEUVD-2026-27789

| CVE-2026-43226 HIGH
2026-05-06 Linux GHSA-mjj8-gm8f-325h
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:40 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.5 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/rds: No shortcut out of RDS_CONN_ERROR

RDS connections carry a state "rds_conn_path::cp_state" and transitions from one state to another and are conditional upon an expected state: "rds_conn_path_transition."

There is one exception to this conditionality, which is "RDS_CONN_ERROR" that can be enforced by "rds_conn_path_drop" regardless of what state the condition is currently in.

But as soon as a connection enters state "RDS_CONN_ERROR", the connection handling code expects it to go through the shutdown-path.

The RDS/TCP multipath changes added a shortcut out of "RDS_CONN_ERROR" straight back to "RDS_CONN_CONNECTING" via "rds_tcp_accept_one_path" (e.g. after "rds_tcp_state_change").

A subsequent "rds_tcp_reset_callbacks" can then transition the state to "RDS_CONN_RESETTING" with a shutdown-worker queued.

That'll trip up "rds_conn_init_shutdown", which was never adjusted to handle "RDS_CONN_RESETTING" and subsequently drops the connection with the dreaded "DR_INV_CONN_STATE", which leaves "RDS_SHUTDOWN_WORK_QUEUED" on forever.

So we do two things here:

a) Don't shortcut "RDS_CONN_ERROR", but take the longer path through the shutdown code.

b) Add "RDS_CONN_RESETTING" to the expected states in "rds_conn_init_shutdown" so that we won't error out and get stuck, if we ever hit weird state transitions like this again."

AnalysisAI

Denial of service in Linux kernel's RDS/TCP networking subsystem allows remote unauthenticated attackers to trigger connection state machine deadlock, causing persistent service unavailability. The vulnerability stems from improper state transition handling in RDS_CONN_ERROR conditions introduced by multipath changes, where connections can bypass normal shutdown procedures and become permanently stuck with queued shutdown workers. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS probability of 0.02%, this represents a moderate-severity issue affecting network-facing systems using RDS protocol. Patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Technical ContextAI

The Reliable Datagram Sockets (RDS) protocol is a Linux kernel networking layer designed for high-performance inter-node communication, commonly used in cluster and database environments. RDS connections maintain state machines tracked via rds_conn_path::cp_state with conditional transitions enforced by rds_conn_path_transition. The RDS_CONN_ERROR state is special-it can be forced by rds_conn_path_drop regardless of current state and should always trigger the shutdown path. The vulnerability exists in the RDS/TCP multipath implementation where rds_tcp_accept_one_path creates an illegal shortcut from RDS_CONN_ERROR directly to RDS_CONN_CONNECTING, bypassing shutdown procedures. When subsequent rds_tcp_reset_callbacks transitions to RDS_CONN_RESETTING with a queued shutdown worker, rds_conn_init_shutdown fails because it was never designed to handle RDS_CONN_RESETTING state, ultimately dropping the connection with DR_INV_CONN_STATE error while leaving RDS_SHUTDOWN_WORK_QUEUED flag set permanently. This represents a state machine logic flaw rather than memory corruption, affecting the RDS protocol implementation's connection lifecycle management.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.252 or later for 5.10.y branch, 5.15.202+ for 5.15.y, 6.1.165+ for 6.1.y, 6.6.128+ for 6.6.y, 6.12.75+ for 6.12.y, 6.18.16+ for 6.18.y, 6.19.6+ for 6.19.y, or 7.0+ for mainline. Patches available at https://git.kernel.org/stable/ with specific commits linked in references. For systems unable to immediately patch, disable RDS protocol module (CONFIG_RDS, CONFIG_RDS_TCP) if not required for cluster communication-this completely mitigates the vulnerability but breaks RDS-dependent applications like Oracle RAC interconnects. Alternative temporary mitigation: restrict network access to RDS TCP ports (typically 16385-16390) using iptables/nftables to trusted cluster members only, reducing attack surface to authenticated infrastructure nodes-this does not eliminate the vulnerability but limits exposure to internal network threats. Monitor for connection state anomalies via netstat/ss showing persistent RDS connections in unusual states or system logs indicating DR_INV_CONN_STATE errors. For Oracle RAC deployments, coordinate patching during maintenance windows as RDS disruption affects database cluster interconnect.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27789 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy