CVE-2026-43502 (GCVE-0-2026-43502)

Vulnerability from cvelistv5 – Published: 2026-05-21 12:17 – Updated: 2026-05-21 12:17
VLAI?
Title
net/rds: handle zerocopy send cleanup before the message is queued
Summary
In the Linux kernel, the following vulnerability has been resolved: net/rds: handle zerocopy send cleanup before the message is queued A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket. The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue. Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages. This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 21d70744e6d3bbf9293aa1ee6fba7c53ad75275e (git)
Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 3abc8983b2bae3f487f77d9da5527d7d6b210d46 (git)
Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 14ef6fd18db2494098b21e0471bf27a1d8e9993e (git)
Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b (git)
Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 44b550d88b267320459d518c0743a241ab2108fa (git)
Create a notification for this product.
Linux Linux Affected: 4.17
Unaffected: 0 , < 4.17 (semver)
Unaffected: 6.6.140 , ≤ 6.6.* (semver)
Unaffected: 6.12.88 , ≤ 6.12.* (semver)
Unaffected: 6.18.30 , ≤ 6.18.* (semver)
Unaffected: 7.0.7 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rds/message.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "21d70744e6d3bbf9293aa1ee6fba7c53ad75275e",
              "status": "affected",
              "version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
              "versionType": "git"
            },
            {
              "lessThan": "3abc8983b2bae3f487f77d9da5527d7d6b210d46",
              "status": "affected",
              "version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
              "versionType": "git"
            },
            {
              "lessThan": "14ef6fd18db2494098b21e0471bf27a1d8e9993e",
              "status": "affected",
              "version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
              "versionType": "git"
            },
            {
              "lessThan": "0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b",
              "status": "affected",
              "version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
              "versionType": "git"
            },
            {
              "lessThan": "44b550d88b267320459d518c0743a241ab2108fa",
              "status": "affected",
              "version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rds/message.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc3",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: handle zerocopy send cleanup before the message is queued\n\nA zerocopy send can fail after user pages have been pinned but before\nthe message is attached to the sending socket.\n\nThe purge path currently infers zerocopy state from rm-\u003em_rs, so an\nunqueued message can be cleaned up as if it owned normal payload pages.\nHowever, zerocopy ownership is really determined by the presence of\nop_mmp_znotifier, regardless of whether the message has reached the\nsocket queue.\n\nCapture op_mmp_znotifier up front in rds_message_purge() and use it as\nthe cleanup discriminator. If the message is already associated with a\nsocket, keep the existing completion path. Otherwise, drop the pinned\npage accounting directly and release the notifier before putting the\npayload pages.\n\nThis keeps early send failure cleanup consistent with the zerocopy\nlifetime rules without changing the normal queued completion path."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-21T12:17:50.444Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/21d70744e6d3bbf9293aa1ee6fba7c53ad75275e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3abc8983b2bae3f487f77d9da5527d7d6b210d46"
        },
        {
          "url": "https://git.kernel.org/stable/c/14ef6fd18db2494098b21e0471bf27a1d8e9993e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b"
        },
        {
          "url": "https://git.kernel.org/stable/c/44b550d88b267320459d518c0743a241ab2108fa"
        }
      ],
      "title": "net/rds: handle zerocopy send cleanup before the message is queued",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43502",
    "datePublished": "2026-05-21T12:17:50.444Z",
    "dateReserved": "2026-05-01T14:12:56.014Z",
    "dateUpdated": "2026-05-21T12:17:50.444Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43502\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-21T13:16:19.520\",\"lastModified\":\"2026-05-21T13:16:19.520\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/rds: handle zerocopy send cleanup before the message is queued\\n\\nA zerocopy send can fail after user pages have been pinned but before\\nthe message is attached to the sending socket.\\n\\nThe purge path currently infers zerocopy state from rm-\u003em_rs, so an\\nunqueued message can be cleaned up as if it owned normal payload pages.\\nHowever, zerocopy ownership is really determined by the presence of\\nop_mmp_znotifier, regardless of whether the message has reached the\\nsocket queue.\\n\\nCapture op_mmp_znotifier up front in rds_message_purge() and use it as\\nthe cleanup discriminator. If the message is already associated with a\\nsocket, keep the existing completion path. Otherwise, drop the pinned\\npage accounting directly and release the notifier before putting the\\npayload pages.\\n\\nThis keeps early send failure cleanup consistent with the zerocopy\\nlifetime rules without changing the normal queued completion path.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/14ef6fd18db2494098b21e0471bf27a1d8e9993e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/21d70744e6d3bbf9293aa1ee6fba7c53ad75275e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3abc8983b2bae3f487f77d9da5527d7d6b210d46\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/44b550d88b267320459d518c0743a241ab2108fa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.