CVE-2026-43226

Source
https://cve.org/CVERecord?id=CVE-2026-43226
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43226.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43226
Downstream
Published
2026-05-06T11:28:24.952Z
Modified
2026-06-18T03:56:19.413722482Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
net/rds: No shortcut out of RDS_CONN_ERROR
Details

In the Linux kernel, the following vulnerability has been resolved:

net/rds: No shortcut out of RDSCONNERROR

RDS connections carry a state "rdsconnpath::cpstate" and transitions from one state to another and are conditional upon an expected state: "rdsconnpathtransition."

There is one exception to this conditionality, which is "RDSCONNERROR" that can be enforced by "rdsconnpath_drop" regardless of what state the condition is currently in.

But as soon as a connection enters state "RDSCONNERROR", the connection handling code expects it to go through the shutdown-path.

The RDS/TCP multipath changes added a shortcut out of "RDSCONNERROR" straight back to "RDSCONNCONNECTING" via "rdstcpacceptonepath" (e.g. after "rdstcpstate_change").

A subsequent "rdstcpresetcallbacks" can then transition the state to "RDSCONN_RESETTING" with a shutdown-worker queued.

That'll trip up "rdsconninitshutdown", which was never adjusted to handle "RDSCONNRESETTING" and subsequently drops the connection with the dreaded "DRINVCONNSTATE", which leaves "RDSSHUTDOWNWORK_QUEUED" on forever.

So we do two things here:

a) Don't shortcut "RDSCONNERROR", but take the longer path through the shutdown code.

b) Add "RDSCONNRESETTING" to the expected states in "rdsconninit_shutdown" so that we won't error out and get stuck, if we ever hit weird state transitions like this again."

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43226.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5916e2c1554f3e36f770401c989c3c7fadf619ca
Fixed
9bcd7c00691a2db9745817d5ea79262a503b135c
Fixed
a179ac7be8f5a650d0068040705f4cddd6ca369c
Fixed
19e384a7d00d888303a8285977cdf1970c6cccd6
Fixed
f0f729bdffb08af32e0f54521b81b8a9e0321f16
Fixed
81248b1eb3c5954cc1fc7b33b7c03e34d20cb8c8
Fixed
899ef00963ce76f9fc421a7d02335fe4ead6389b
Fixed
9ff599a9be784a808c36765086e3db2144aa3b66
Fixed
ad22d24be635c6beab6a1fdd3f8b1f3c478d15da

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43226.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.8.0
Fixed
5.10.252
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.202
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.165
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.16
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43226.json"