In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().

A flaw was found in the Linux kernel, specifically within the `net/rds` module. When a zerocopy page pin operation fails, a counter used for memory management (`op_nents`) is not correctly reset. This can result in a double-free vulnerability, where the same memory is released twice. A local attacker could potentially exploit this to cause the system to crash (denial of service) or, in some cases, execute unauthorized code.

Red Hat Enterprise Linux 10 Not affected kernel Red Hat Enterprise Linux 6 Under investigation kernel Red Hat Enterprise Linux 7 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel-rt Red Hat Enterprise Linux 8 Not affected kernel Red Hat Enterprise Linux 8 Not affected kernel-rt Red Hat Enterprise Linux 9 Not affected kernel Red Hat Enterprise Linux 9 Not affected kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-43494 https://nvd.nist.gov/vuln/detail/CVE-2026-43494 https://lore.kernel.org/linux-cve-announce/2026052130-CVE-2026-43494-a65a@gregkh/T