In the Linux kernel, the following vulnerability has been resolved:
net: rds: fix MR cleanup on copy error
_rdsrdmamap() hands sg/pages ownership to the transport after getmr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference.
Remove the duplicate unpin/free from the put_user() failure branch so that MR teardown is handled only through the existing final cleanup path.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46053.json",
"cna_assigner": "Linux"
}