CVE-2026-43494

net/rds: reset op_nents when zerocopy page pin fails

Assigner: Linux
Reserved: 01.05.2026 Published: 21.05.2026 Updated: 21.05.2026

In the Linux kernel, the following vulnerability has been resolved:

net/rds: reset op_nents when zerocopy page pin fails

When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents.

Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again.

Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 to e174929793195e0cd6a4adb0cad731b39f9019b4 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 to e174929793195e0cd6a4adb0cad731b39f9019b4 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 4.17 is affected unaffected from 0 to 4.17 (excl.) unaffected from 7.1-rc4 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

Version 4.17 is affected
unaffected from 0 to 4.17 (excl.)
unaffected from 7.1-rc4 to * (incl.)

References

CVE-2026-43494 PUBLISHED

net/rds: reset op_nents when zerocopy page pin fails

Product Status

References