HIGH
net/rds ReconnectPending Race
CVE-2026-43230
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI2.5LOW
01Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: Clear reconnect pending bit When canceling the reconnect worker, care must be taken to reset the reconnect-pending bit. If the reconnect worker has not yet been scheduled before it is canceled, the reconnect-pending bit will stay on forever.
02KernelScan AI Analysis
Risk summary
A race condition in RDS connection shutdown can leave the reconnect-pending bit permanently set, causing connection state inconsistency. This affects systems using RDS for cluster communication, potentially making connections unusable until restart.
Vulnerability analysis
The vulnerability occurs in rds_conn_shutdown() where cancel_delayed_work_sync() cancels the reconnect worker but fails to clear the RDS_RECONNECT_PENDING bit. If the worker was scheduled but not executed when canceled, this bit remains set forever, creating inconsistent connection state. The fix adds clear_bit(RDS_RECONNECT_PENDING, &cp->cp_flags) after work cancellation. Attack surface is local through RDS socket API, requiring no special privileges but depending on race timing between work scheduling and cancellation.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | 3cf001aff71b |
| 5.15 | 5.15.202 | 60b347333ec2 |
| 6.1 | 6.1.165 | 597c46a42930 |
| 6.12 | 6.12.75 | ba2e3472022f |
| 6.18 | 6.18.16 | 14eae5564053 |
| 6.19 | 6.19.6 | bcf034fa5f66 |
| 6.6 | 6.6.128 | 391200c274e9 |
| mainline | 7.0 | b89fc7c2523b |