VYPR
← All advisories
Unrated severityNVD Advisory· Published May 21, 2026

CVE-2026-43494

CVE-2026-43494

Description

In the Linux kernel, the following vulnerability has been resolved:

net/rds: reset op_nents when zerocopy page pin fails

When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents.

Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again.

Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in Linux kernel's RDS subsystem due to missing op_nents reset on zerocopy page pin failure, leading to double-free and potential privilege escalation.

Vulnerability

The vulnerability resides in the Linux kernel's RDS (Reliable Datagram Sockets) implementation, specifically in the function rds_message_zcopy_from_user(). When iov_iter_get_pages2() fails during zerocopy page pinning, the function releases pinned pages via put_page() and clears rm->data.op_mmp_znotifier, but fails to reset rm->data.op_nents to zero. This leaves op_nents with a non-zero value referencing already freed pages. The bug affects kernel versions that include the zerocopy page pinning code prior to the fix commit e174929793195e0cd6a4adb0cad731b39f9019b4 [1].

Exploitation

An attacker must trigger a failure of iov_iter_get_pages2() during an RDS zerocopy send operation. This can be achieved by exhausting memory or other resource constraints. When the subsequent rds_sendmsg() path calls rds_message_purge(), the cleanup loop iterates over the incorrect op_nents count and frees pages that have already been released, causing a double-free. The attacker needs the ability to invoke RDS send operations with zerocopy flags; no special privileges beyond local user access are required.

Impact

Successful exploitation results in a double-free condition, which can lead to use-after-free of kernel memory. This may be leveraged to achieve local privilege escalation, denial of service (system crash), or potentially arbitrary code execution in kernel context. The scope is limited to systems where the RDS module is loaded and accessible.

Mitigation

The issue is fixed in Linux kernel commit e174929793195e0cd6a4adb0cad731b39f9019b4 [1]. Users should apply the latest kernel updates from their distribution. No workaround is available; if the RDS module is not required, it can be blacklisted to prevent exploitation.

References
  1. Making sure you're not a bot!

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

2
e17492979319
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 7.1-rc4via kernel-cna
commit
e17492979319
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit

Vulnerability mechanics

Root cause

"Missing reset of op_nents counter when zerocopy page pinning fails, leading to a use-after-free / double-free of pinned pages."

Attack vector

An attacker who can send RDS messages over a local or remote socket can trigger the bug by causing iov_iter_get_pages2() to fail (e.g., by providing a malformed or oversized iovec). When the pinning fails, the code releases the pages and clears the znotifier but does not reset op_nents. Later, rds_message_purge() iterates over the stale non-zero op_nents and frees already-released pages again, causing a double-free [patch_id=1214747].

Affected code

The vulnerability is in the function rds_message_zcopy_from_user() in the net/rds subsystem. When iov_iter_get_pages2() fails, the error path releases pinned pages and clears rm->data.op_mmp_znotifier but fails to reset rm->data.op_nents to zero. The stale op_nents value is later used by rds_message_purge() during cleanup.

What the fix does

The patch adds `rm->data.op_nents = 0;` inside the error path of rds_message_zcopy_from_user(), right after the pinned pages are released and the znotifier is cleared [patch_id=1214746]. This ensures that when rds_message_purge() later checks op_nents, it sees zero and skips the cleanup loop, preventing the double-free of the already-released pages.

Preconditions

  • networkAttacker must be able to send RDS messages over a socket.
  • inputAttacker must supply an iovec that causes iov_iter_get_pages2() to fail (e.g., invalid memory region or insufficient pages).

Generated on May 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.