CVE-2026-43226 Overview
CVE-2026-43226 is a Linux kernel vulnerability in the Reliable Datagram Sockets (RDS) networking subsystem. The flaw resides in the RDS/TCP multipath code path that manages connection state transitions through rds_conn_path::cp_state. A shortcut in rds_tcp_accept_one_path allows a connection to move directly from RDS_CONN_ERROR back to RDS_CONN_CONNECTING, bypassing the expected shutdown path. A subsequent call to rds_tcp_reset_callbacks can then push the connection into RDS_CONN_RESETTING, an unhandled state in rds_conn_init_shutdown, leaving RDS_SHUTDOWN_WORK_QUEUED set indefinitely.
Critical Impact
The unexpected state transition causes connection shutdown work to remain queued forever, leading to RDS connection hang conditions and potential denial-of-service on affected Linux hosts using RDS over TCP.
Affected Products
- Linux kernel versions containing the RDS/TCP multipath implementation
- Systems with the net/rds subsystem enabled and using TCP transport
- Distributions shipping vulnerable kernel versions prior to the upstream stable fixes
Discovery Timeline
- 2026-05-06 - CVE-2026-43226 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43226
Vulnerability Analysis
RDS connections track lifecycle progression through rds_conn_path::cp_state and rely on rds_conn_path_transition to enforce conditional state changes. The function only permits a transition when the current state matches an expected source state. One exception exists: rds_conn_path_drop can force a connection into RDS_CONN_ERROR regardless of current state.
Once a connection enters RDS_CONN_ERROR, the code path expects the connection to traverse the shutdown sequence. The RDS/TCP multipath changes introduced a shortcut in rds_tcp_accept_one_path, called from contexts such as rds_tcp_state_change, that transitions the connection straight from RDS_CONN_ERROR back to RDS_CONN_CONNECTING. This skips the required shutdown handling.
Root Cause
The root cause is an incomplete state machine. After the shortcut returns the connection to RDS_CONN_CONNECTING, a follow-up call to rds_tcp_reset_callbacks can transition the state to RDS_CONN_RESETTING and queue a shutdown worker. The function rds_conn_init_shutdown was never updated to accept RDS_CONN_RESETTING as a valid source state. It instead drops the connection with DR_INV_CONN_STATE, leaving RDS_SHUTDOWN_WORK_QUEUED permanently set. This is a kernel state-machine logic flaw rather than a memory-safety bug.
Attack Vector
Triggering the condition requires inducing an RDS/TCP connection error followed by a re-accept event on the same path. The fault occurs through normal RDS/TCP socket operations and does not require crafted memory corruption. The vulnerability manifests on hosts that expose RDS over TCP to peers capable of generating connection-state churn. Refer to the upstream Linux kernel commits for the precise code paths involved.
The upstream fix applies two changes: it removes the shortcut so connections in RDS_CONN_ERROR always traverse the shutdown path, and it adds RDS_CONN_RESETTING to the expected states accepted by rds_conn_init_shutdown.
Detection Methods for CVE-2026-43226
Indicators of Compromise
- Kernel log entries referencing DR_INV_CONN_STATE from the RDS subsystem
- RDS connections stuck with RDS_SHUTDOWN_WORK_QUEUED set and no progress through shutdown
- Persistent rds_conn_path instances oscillating between RDS_CONN_ERROR and RDS_CONN_CONNECTING
Detection Strategies
- Monitor dmesg and /var/log/kern.log for repeated RDS state-transition errors and invalid connection state messages
- Inspect /proc/net/rds/connections for connections stalled in non-terminal states
- Audit running kernel versions across the fleet against the fixed stable kernel commits referenced in the Linux Kernel Stable Tree
Monitoring Recommendations
- Alert on sustained growth of queued RDS shutdown work items via kernel tracepoints
- Track kernel version inventory and flag hosts running unpatched kernels with CONFIG_RDS_TCP=y
- Correlate RDS error log volume with network connectivity events to identify exploitable conditions
How to Mitigate CVE-2026-43226
Immediate Actions Required
- Apply the upstream stable kernel updates that include the RDS state-transition fix referenced in the kernel.org commits
- Identify hosts with the RDS module loaded using lsmod | grep rds and prioritize patching where RDS/TCP is in active use
- Restrict RDS/TCP exposure to trusted network segments until patched kernels are deployed
Patch Information
The fix is committed in the Linux stable trees. See the relevant patches: commit 19e384a7d00d, commit 81248b1eb3c5, commit 899ef00963ce, commit 9bcd7c00691a, commit 9ff599a9be78, commit a179ac7be8f5, commit ad22d24be635, and commit f0f729bdffb0. Update to a stable kernel release that incorporates these commits.
Workarounds
- Disable the RDS module where it is not required by blacklisting rds and rds_tcp in /etc/modprobe.d/
- Block RDS/TCP traffic at host or network firewalls if the protocol is not in production use
- Reboot affected hosts to clear stuck RDS_SHUTDOWN_WORK_QUEUED state when symptoms are observed
# Configuration example
# Blacklist RDS modules to mitigate exposure on hosts that do not require RDS
echo "blacklist rds" | sudo tee /etc/modprobe.d/blacklist-rds.conf
echo "blacklist rds_tcp" | sudo tee -a /etc/modprobe.d/blacklist-rds.conf
sudo update-initramfs -u
# Verify modules are not currently loaded
lsmod | grep -E '^rds'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
