CVE-2026-46053
Description
In the Linux kernel, the following vulnerability has been resolved: net: rds: fix MR cleanup on copy error __rds_rdma_map() hands sg/pages ownership to the transport after get_mr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference. Remove the duplicate unpin/free from the put_user() failure branch so that MR teardown is handled only through the existing final cleanup path.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-46053 NameCVE-2026-46053 DescriptionIn the Linux kernel, the following vulnerability has been resolved: net: rds: fix MR cleanup on copy error __rds_rdma_map() hands sg/pages ownership to the transport after get_mr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference.โฆ
CVE-2026-46053
| Name | CVE-2026-46053 |
| Description | In the Linux kernel, the following vulnerability has been resolved: net: rds: fix MR cleanup on copy error __rds_rdma_map() hands sg/pages ownership to the transport after get_mr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference. Remove the duplicate unpin/free from the put_user() failure branch so that MR teardown is handled only through the existing final cleanup path. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| linux (PTS) | bullseye | 5.10.223-1 | vulnerable |
| bullseye (security) | 5.10.257-1 | vulnerable | |
| bookworm | 6.1.170-3 | vulnerable | |
| bookworm (security) | 6.1.172-1 | vulnerable | |
| trixie | 6.12.86-1 | fixed | |
| trixie (security) | 6.12.90-1 | fixed | |
| forky | 7.0.9-1 | fixed | |
| sid | 7.0.10-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| linux | source | trixie | 6.12.86-1 | |||
| linux | source | (unstable) | 7.0.4-1 |
Notes
https://git.kernel.org/linus/8141a2dc70080eda1aedc0389ed2db2b292af5bd (7.1-rc1)
Apply commands
https://git.kernel.org/linus/8141a2dc70080eda1aedc0389ed2db2b292af5bd (7.1-rc1)OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 7.0.4-1 |
| debian | sid | fixed | 7.0.4-1 |
| debian | trixie | fixed | 6.12.86-1 |
References
- https://git.kernel.org/stable/c/8fdbb6262a4a3ed44a0830a7793903b54bb27bdc
- https://git.kernel.org/stable/c/d95cea9298be1ba8876e3f156be96d3a492085ca
- https://git.kernel.org/stable/c/033370ffb3c9c0264d19f8ba9ef769523266589a
- https://git.kernel.org/stable/c/b3cb8cae530b2727d8245684148bb49425f6765c
- https://git.kernel.org/stable/c/8141a2dc70080eda1aedc0389ed2db2b292af5bd
- https://security-tracker.debian.org/tracker/CVE-2026-46053
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.