PT-2026-42451 · Linux+3 · Linux Kernel+3

Aaron Esau

+1

·

Published

2025-05-05

·

Updated

2026-07-02

·

CVE-2026-43494

CVSS v4.0

8.5

High

VectorAV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description A double-free issue exists in the Reliable Delivery Service (RDS) implementation of the Linux kernel. When the iov iter get pages2() function fails within rds message zcopy from user(), the pinned pages are released and the rm->data.op mmp znotifier is cleared, but the rm->data.op nents variable is not properly reset. Consequently, when rds message purge() is subsequently called from rds sendmsg(), the cleanup loop iterates over the incorrect non-zero value of op nents, leading to a second attempt to free the same resources.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

Double Free

Multiple Releases of Same Resource or Handle

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07273
CVE-2026-43494
ECHO-ABBB-9356-9662
OPENSUSE-SU-2026:10954-1
SUSE-SU-2026:2195-1
SUSE-SU-2026:2238-1
USN-8370-1
USN-8371-1
USN-8373-1
USN-8374-1
USN-8388-1
USN-8388-2
USN-8389-1
USN-8391-1
USN-8392-1
USN-8393-1
USN-8426-1
USN-8426-2
USN-8440-1
USN-8461-1
USN-8462-1
USN-8489-1
USN-8497-1
USN-8499-1

Affected Products

Linuxmint
Linux Kernel
Red Os
Ubuntu