CVE-2026-43494

When iovitergetpages2() fails in rdsmessagezcopyfromuser(), the pinned pages are released with putpage(), and rm->data.opmmpznotifier is cleared. But we fail to properly clear rm->data.op_nents.

Later when rdsmessagepurge() is called from rdssendmsg() the cleanup loop iterates over the incorrectly non zero number of opnents and frees them again.

Fix this by properly resetting opnents when it should be in rdsmessagezcopyfrom_user().

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43494.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3

Fixed

9115669faedccdda100428e2d26fd0aac8c50799

Fixed

0bbbff00a15b1df2cac9014d6cf4b6890f473353

Fixed

640e37f58f991546a87540d067279c2c1fa9fe51

Fixed

290e833d1acb1093bc121fcdc97f5e6161157479

Fixed

e174929793195e0cd6a4adb0cad731b39f9019b4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43494.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.17.0

Fixed

6.6.141

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.91

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.33

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

7.0.10

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43494.json"