PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43502 Linux CVE debrief

CVE-2026-43502 is a Linux kernel RDS cleanup bug in the zerocopy send path. The supplied fix description says a send can fail after user pages are pinned but before the message is attached to the socket queue, and that the old purge logic could clean up an unqueued message using the wrong ownership path. The correction is to treat op_mmp_znotifier as the zerocopy ownership indicator, even before queueing, so early-failure cleanup follows the proper lifetime rules.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Administrators and maintainers running Linux kernels with the RDS networking stack, especially systems that use zerocopy send behavior or rely on precise page-pin accounting and notifier cleanup.

Technical summary

The vulnerability is described as an RDS message cleanup mismatch during early zerocopy send failure. The existing rds_message_purge() logic inferred zerocopy state from rm->m_rs, which works for queued messages but can mis-handle a message that fails before it is attached to the socket. The fix captures op_mmp_znotifier up front and uses it to decide cleanup: if the message is already associated with a socket, the normal completion path remains in place; otherwise, pinned page accounting is dropped directly and the notifier is released before payload pages are put back. This changes the pre-queue failure path without altering normal queued completion behavior.

Defensive priority

Medium for environments that enable and depend on Linux RDS zerocopy sends; lower priority if the RDS stack is not used. The issue is framed as cleanup and lifetime handling rather than a confirmed remote code execution path, but it can affect resource accounting and memory ownership consistency.

Recommended defensive actions

  • Apply the Linux kernel stable fixes referenced in the supplied corpus.
  • Verify whether RDS and zerocopy send features are enabled in your kernels and workloads.
  • Review early-failure cleanup paths for page-pinning and notifier release consistency.
  • Regression-test RDS send failure handling, especially cases where messages fail before queue attachment.
  • Monitor vendor or distribution kernel advisories for backported versions of the fix.

Evidence notes

The supplied source text states that a zerocopy send can fail after user pages are pinned but before the message is queued, and that rds_message_purge() previously inferred zerocopy state from rm->m_rs. It also states the fix is to use op_mmp_znotifier as the zerocopy discriminator and to release pinned page accounting and notifier state directly when the message has not reached the socket queue. The corpus provides official CVE/NVD links and five Linux kernel stable reference URLs, but no CVSS score, exploit details, affected version range, or confirmed impact beyond the cleanup/lifetime issue.

Official resources

Publicly disclosed in the supplied NVD record on 2026-05-21T13:16:19.520Z. The corpus ties the issue to Linux kernel stable fixes referenced by official kernel commit URLs.