CVE-2026-46053 Linux CVE debrief

Who should care

Organizations running Linux systems with RDS (Reliable Datagram Sockets) enabled, particularly those utilizing RDMA capabilities for high-performance networking workloads. Cloud providers, HPC environments, and financial services infrastructure using low-latency kernel networking features are most affected.

Technical summary

The vulnerability is located in `net/rds/rdma.c` in the `__rds_rdma_map()` function. After successful `get_mr()` execution, sg/page ownership transfers to the transport layer. If `put_user()` subsequently fails when copying the MR cookie to userspace, the original error path incorrectly invoked unpin/free operations on resources no longer owned by the caller. This creates a race condition where the transport may simultaneously access these resources while they are being freed, resulting in memory corruption. The correction removes this erroneous cleanup branch, relying solely on the MR reference drop to trigger proper teardown through the transport's established cleanup mechanisms.

Defensive priority

high

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available from your Linux distribution
• Monitor vendor security advisories for kernel package updates addressing CVE-2026-46053
• If running workloads using RDS RDMA, consider temporarily disabling RDS RDMA functionality if patching is not immediately feasible and the feature is not required
• Review system logs for any RDS-related errors that may indicate exploitation attempts
• Validate kernel version post-update to confirm patch application

Evidence notes

Vulnerability description confirms double-free/use-after-free pattern in RDS RDMA memory registration error handling. Kernel commit references indicate stable backports to multiple kernel versions.

Official resources