HIGH
rds ZeroCopy DoubleFree
CVE-2026-43494
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().
02KernelScan AI Analysis
Risk summary
Local users with low privileges can trigger a double-free condition in the RDS (Reliable Datagram Sockets) networking subsystem when zerocopy transmission fails. This leads to kernel memory corruption and system crashes, affecting availability of systems using RDS networking.
Vulnerability analysis
The vulnerability occurs in rds_message_zcopy_from_user() when iov_iter_get_pages2() fails during zerocopy page pinning. The error path correctly releases pinned pages with put_page() and clears the znotifier, but fails to reset rm->data.op_nents to zero. Later, when rds_message_purge() is called from rds_sendmsg(), it iterates over the stale op_nents count and attempts to free the same pages again, causing a double-free condition. The fix adds a single line to reset op_nents to 0 in the error path, preventing the subsequent double-free during cleanup. This is a local attack surface requiring RDS socket operations with MSG_ZEROCOPY flag.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | c6e51512a784 |
| 5.15 | 5.15.209 | 03014551938a |
| 6.1 | 6.1.175 | d84ce1786ce4 |
| 6.12 | 6.12.91 | 0bbbff00a15b |
| 6.18 | 6.18.33 | 640e37f58f99 |
| 6.6 | 6.6.141 | 9115669faedc |
| 7.0 | 7.0.10 | 290e833d1acb |
| mainline | 7.1-rc4 | e17492979319 |