Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2026-43494— net/rds: reset op_nents when zerocopy page pin fails

AI Predicted 5.5 Difficulty: Moderate EPSS 0.03% · P10

Affected Version Matrix 12

VendorProductVersion RangeStatus
LinuxLinux0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3< 9115669faedccdda100428e2d26fd0aac8c50799affected
0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3< 0bbbff00a15b1df2cac9014d6cf4b6890f473353affected
0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3< 640e37f58f991546a87540d067279c2c1fa9fe51affected
0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3< 290e833d1acb1093bc121fcdc97f5e6161157479affected
0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3< e174929793195e0cd6a4adb0cad731b39f9019b4affected
4.17affected
< 4.17unaffected
6.6.141≤ 6.6.*unaffected
… +4 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-43494

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
net/rds: reset op_nents when zerocopy page pin fails
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于rds_message_zcopy_from_user函数中零拷贝页面固定失败时未重置op_nents,可能导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 ~ 9115669faedccdda100428e2d26fd0aac8c50799 -
LinuxLinux 4.17 -

II. Public POCs for CVE-2026-43494

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-43494

登录查看更多情报信息。

Patches & Fixes for CVE-2026-43494 (5)

Same Patch Batch · Linux · 2026-05-21 · 8 CVEs total

CVE-2026-43502net/rds: handle zerocopy send cleanup before the message is queued
CVE-2026-43501ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
CVE-2026-43498accel/ivpu: Disallow re-exporting imported GEM objects
CVE-2026-43499rtmutex: Use waiter::task instead of current in remove_waiter()
CVE-2026-43497fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
CVE-2026-43496net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
CVE-2026-43495net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-43494

No comments yet

Leave a comment