In the Linux kernel, the following vulnerability has been resolved:
net/rds: No shortcut out of RDSCONNERROR
RDS connections carry a state "rdsconnpath::cpstate" and transitions from one state to another and are conditional upon an expected state: "rdsconnpathtransition."
There is one exception to this conditionality, which is "RDSCONNERROR" that can be enforced by "rdsconnpath_drop" regardless of what state the condition is currently in.
But as soon as a connection enters state "RDSCONNERROR", the connection handling code expects it to go through the shutdown-path.
The RDS/TCP multipath changes added a shortcut out of "RDSCONNERROR" straight back to "RDSCONNCONNECTING" via "rdstcpacceptonepath" (e.g. after "rdstcpstate_change").
A subsequent "rdstcpresetcallbacks" can then transition the state to "RDSCONN_RESETTING" with a shutdown-worker queued.
That'll trip up "rdsconninitshutdown", which was never adjusted to handle "RDSCONNRESETTING" and subsequently drops the connection with the dreaded "DRINVCONNSTATE", which leaves "RDSSHUTDOWNWORK_QUEUED" on forever.
So we do two things here:
a) Don't shortcut "RDSCONNERROR", but take the longer path through the shutdown code.
b) Add "RDSCONNRESETTING" to the expected states in "rdsconninit_shutdown" so that we won't error out and get stuck, if we ever hit weird state transitions like this again."
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43226.json"
}