PT-2026-42451 · Linux+3 · Linux Kernel+3
Aaron Esau
+1
·
Published
2025-05-05
·
Updated
2026-07-02
·
CVE-2026-43494
CVSS v4.0
8.5
High
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Linux kernel (affected versions not specified)
Description
A double-free issue exists in the Reliable Delivery Service (RDS) implementation of the Linux kernel. When the
iov iter get pages2() function fails within rds message zcopy from user(), the pinned pages are released and the rm->data.op mmp znotifier is cleared, but the rm->data.op nents variable is not properly reset. Consequently, when rds message purge() is subsequently called from rds sendmsg(), the cleanup loop iterates over the incorrect non-zero value of op nents, leading to a second attempt to free the same resources.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
DoS
Double Free
Multiple Releases of Same Resource or Handle
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linuxmint
Linux Kernel
Red Os
Ubuntu