CVE-2026-43494
net/rds: reset op_nents when zerocopy page pin fails
In the Linux kernel, the following vulnerability has been resolved:
net/rds: reset op_nents when zerocopy page pin fails
When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
the pinned pages are released with put_page(), and
rm->data.op_mmp_znotifier is cleared. But we fail to properly
clear rm->data.op_nents.
Later when rds_message_purge() is called from rds_sendmsg() the
cleanup loop iterates over the incorrectly non zero number of
op_nents and frees them again.
Fix this by properly resetting op_nents when it should be in
rds_message_zcopy_from_user().
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Linux · Linuxpublic PoCs found — 5
githubgithub.com/0xBlackash/CVE-2026-43494★ 2githubgithub.com/Koshmare-Blossom/PinTheft-asm★ 1githubgithub.com/Koshmare-Blossom/PinTheft-go★ 0githubgithub.com/tanzz1337/CVE-2026-43494-PinTheft-PoC★ 0githubgithub.com/letsr00t/CVE-2026-43494-PinTheft-PoC★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/v12-security/pocs/tree/main/pinthefthttps://git.kernel.org/stable/c/03014551938a0887fa55f18ce49b70158a9c0113https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353https://git.kernel.org/stable/c/290e833d1acb1093bc121fcdc97f5e6161157479https://git.kernel.org/stable/c/640e37f58f991546a87540d067279c2c1fa9fe51https://git.kernel.org/stable/c/9115669faedccdda100428e2d26fd0aac8c50799https://git.kernel.org/stable/c/c6e51512a784c4a7b86e1a044988696e3b3721fahttps://git.kernel.org/stable/c/d84ce1786ce40fdd3dd98db47aec5527817e1ef6https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4http://www.openwall.com/lists/oss-security/2026/05/21/2