Skip to main content

Linux Kernel EUVDEUVD-2026-31275

| CVE-2026-43502 HIGH
2026-05-21 Linux GHSA-mhq7-fqmq-29pq
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:22 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 21, 2026 - 13:01 EUVD
CVE Published
May 21, 2026 - 12:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 21, 2026 - 12:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/rds: handle zerocopy send cleanup before the message is queued

A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.

The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.

Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.

This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.

AnalysisAI

Local privilege escalation risk in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from an error in zerocopy send cleanup logic where an early-failed send can have its pinned user pages mishandled. The flaw affects multiple kernel branches from 4.17 onward and is fixed across stable trees (6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3). No public exploit identified at time of analysis, and EPSS is very low (0.02%).

Technical ContextAI

The vulnerability lives in net/rds, the kernel's Reliable Datagram Sockets implementation used primarily over Infiniband/RDMA fabrics. In the zerocopy send path, the kernel pins user pages and attaches an op_mmp_znotifier to track completion. The buggy rds_message_purge() inferred zerocopy ownership from rm->m_rs (the sending socket pointer), but a send can fail after pages are pinned yet before the message is queued to a socket, leaving rm->m_rs NULL while the message still owns pinned pages and a notifier. The purge path then cleans the message as a normal (non-zerocopy) payload, mismanaging pinned page accounting and notifier release. The class of bug is improper resource lifecycle management in an error path (a CWE-officially-unassigned issue, but conceptually CWE-459/CWE-672-style cleanup error), affecting kernels per CPE cpe:2.3:a:linux:linux:*.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or later) depending on your stable branch, picking up the fix commits listed at https://git.kernel.org/stable/c/14ef6fd18db2494098b21e0471bf27a1d8e9993e and the companion stable backports. Distribution users should track their vendor's kernel update advisory (Red Hat, SUSE, Ubuntu, Debian) and apply the corresponding kernel package. As a compensating control where immediate patching is not possible, prevent the vulnerable code from being reachable by blacklisting the rds module (echo 'install rds /bin/true' > /etc/modprobe.d/blacklist-rds.conf and unloading it if not actively used) - the trade-off is that any application relying on AF_RDS sockets (notably some Oracle RAC interconnect deployments and RDMA workloads) will break. Restricting which local users can create RDS sockets via seccomp profiles or LSM policy is a narrower mitigation but requires per-workload tuning.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

EUVD-2026-31275 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy