PatchSiren cyber security CVE debrief

CVE-2026-43494 Linux CVE debrief

CVE-2026-43494 is a Linux kernel networking bug in the RDS zero-copy send path. If page pinning fails during rds_message_zcopy_from_user(), the code releases the pinned pages and clears one notifier field, but leaves op_nents set. A later cleanup path in rds_message_purge() can then iterate over that stale count and free the pages again, creating a double-free condition in kernel cleanup logic.

Vendor: Linux
Product: Unknown
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-21
Original CVE updated: 2026-05-21
Advisory published: 2026-05-21
Advisory updated: 2026-05-21

Who should care

Linux kernel maintainers, distribution security teams, and operators running kernels with RDS-enabled workloads should care. Any environment that relies on kernel zero-copy send paths is the most directly relevant, but routine kernel patching is advisable for all fleets.

Technical summary

The issue is a state-management bug in net/rds error handling. When iov_iter_get_pages2() fails inside rds_message_zcopy_from_user(), the code correctly releases pinned pages and clears rm->data.op_mmp_znotifier, but it does not reset rm->data.op_nents. That stale nonzero count is later consumed by rds_message_purge() during rds_sendmsg() cleanup, which can free the same pages again. The supplied description indicates a cleanup-path double free / memory corruption risk rather than a user-visible functional bug.

Defensive priority

High for systems running affected Linux kernel builds, especially where RDS and zero-copy send paths are in use. Prioritize applying the kernel fix in maintenance windows and include it in normal fleet patching even if RDS usage is uncommon.

Recommended defensive actions

Apply the Linux kernel update or stable backport that includes the fix for resetting op_nents in rds_message_zcopy_from_user().
Verify whether your kernel build includes stable commit e174929793195e0cd6a4adb0cad731b39f9019b4 or an equivalent backport.
Prioritize patching systems that use RDS or heavy kernel networking workloads.
Stage and test kernel updates in non-production environments before broad rollout.
Continue standard kernel crash-monitoring and alerting for any double-free or memory-corruption symptoms in networking paths.

Evidence notes

The supplied CVE text states that iov_iter_get_pages2() failure in rds_message_zcopy_from_user() leaves op_nents uncleared, and that rds_message_purge() later frees the pages again. The only supplied reference is the Linux kernel stable commit e174929793195e0cd6a4adb0cad731b39f9019b4. The NVD item in the supplied corpus is marked Received and does not include CVSS, CPE, or weakness data.

Official resources

CVE-2026-43494 CVE record
CVE.org
CVE-2026-43494 NVD detail
NVD
Source item URL
nvd_modified
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Source reference
af854a3a-2127-422b-91ae-364da2661108

Published 2026-05-21. The supplied source and CVE records show the same published/modified timestamp, with no earlier disclosure date provided in the corpus.