CVE-2026-43494

HIGH

net/rds: reset op_nents when zerocopy page pin fails

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 10 public exploits for CVE-2026-43494. PoCs published by Unclecheng-li, jayhutajulu1, letsr00t.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-43494, leveraging a double-free vulnerability in the Linux kernel's RDS zcopy mechanism combined with io_uring to achieve local privilege escalation (LPE). The exploit manipulates page references, bypasses kernel protections like init_on_alloc, and overwrites page cache to execute arbitrary code as root.

Description

In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().

Exploits (10)

github WORKING POC 95 stars
by Unclecheng-li · cpoc
https://github.com/Unclecheng-li/poc-lab/tree/main/CVE-2026-43494 PinTheft

This repository contains a functional exploit for CVE-2026-43494, leveraging a double-free vulnerability in the Linux kernel's RDS zcopy mechanism combined with io_uring to achieve local privilege escalation (LPE). The exploit manipulates page references, bypasses kernel protections like init_on_alloc, and overwrites page cache to execute arbitrary code as root.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel (with CONFIG_RDS, CONFIG_RDS_TCP, and CONFIG_IO_URING)
No auth needed
Prerequisites: CONFIG_RDS enabled · CONFIG_RDS_TCP enabled · CONFIG_IO_URING enabled · io_uring_disabled=0 · readable suid-root binary
mistral-large-3 · analyzed May 22, 2026 Full analysis →
github WORKING POC 3 stars
by jayhutajulu1 · cpoc
https://github.com/jayhutajulu1/CVE-2026-43494-PinTheft-PoC

This repository contains a functional exploit for CVE-2026-43494, a Linux kernel local privilege escalation vulnerability involving io_uring and GUP pin theft. The exploit uses RDS zerocopy to manipulate pin references and achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (specific version not specified)
No auth needed
Prerequisites: Linux system with vulnerable kernel · io_uring and RDS support · SUID binary for privilege escalation
mistral-large-3 · analyzed May 25, 2026 Full analysis →
github WORKING POC
by letsr00t · cpoc
https://github.com/letsr00t/CVE-2026-43494-PinTheft-PoC

This repository contains a functional proof-of-concept exploit for CVE-2026-43494, a Linux kernel local privilege escalation vulnerability. The exploit leverages io_uring and RDS zerocopy mechanisms to steal page pin references, ultimately achieving root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (versions affected by CVE-2026-43494)
No auth needed
Prerequisites: Linux system with vulnerable kernel · io_uring and RDS support · SUID binary present
mistral-large-3 · analyzed May 30, 2026 Full analysis →
gitlab WORKING POC
by Koshmare-Blossom · poc
https://gitlab.com/Koshmare-Blossom/PinTheft-asm

This repository contains a functional exploit PoC for CVE-2026-43494, a local privilege escalation (LPE) vulnerability in the Linux kernel's RDS zcopy mechanism. The exploit leverages a double-free condition via io_uring to overwrite page cache and achieve root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (specific version not specified)
No auth needed
Prerequisites: Linux system with vulnerable kernel · io_uring support · RDS module loaded
mistral-large-3 · analyzed May 29, 2026 Full analysis →
nomisec WORKING POC
by Koshmare-Blossom · poc
https://github.com/Koshmare-Blossom/PinTheft-asm

This repository contains a functional exploit PoC for CVE-2026-43494, leveraging an RDS zcopy double-free vulnerability to achieve local privilege escalation (LPE) via io_uring and page cache manipulation. The exploit is written in x86-64 assembly and includes detailed steps for pinning CPU, finding SUID binaries, and executing a root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (specific version not specified)
No auth needed
Prerequisites: Linux system with vulnerable kernel · io_uring support · RDS (Reliable Datagram Sockets) enabled
mistral-large-3 · analyzed May 28, 2026 Full analysis →
gitlab WORKING POC
by Koshmare-Blossom · poc
https://gitlab.com/Koshmare-Blossom/PinTheft-asm-deletion_scheduled-82639976

This repository contains a functional exploit PoC for CVE-2026-43494, which leverages an RDS zcopy double-free vulnerability to achieve local privilege escalation (LPE) via io_uring and page cache manipulation. The exploit is written in x86-64 assembly and includes detailed steps for pinning CPU, finding SUID binaries, and executing a root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (specific version not specified)
No auth needed
Prerequisites: Local access to the vulnerable system · Presence of SUID binaries
mistral-large-3 · analyzed May 28, 2026 Full analysis →
nomisec WORKING POC
by tanzz1337 · poc
https://github.com/tanzz1337/CVE-2026-43494-PinTheft-PoC

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2026-43494, leveraging a vulnerability in the Linux kernel's io_uring subsystem combined with RDS zerocopy to steal page pin references. The exploit includes a detailed UI, shellcode execution, and a multi-phase attack chain to achieve root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (specific version not specified)
No auth needed
Prerequisites: Linux system with vulnerable kernel · io_uring and RDS support enabled · SUID binary present on the system
mistral-large-3 · analyzed Jun 02, 2026 Full analysis →
gitlab WORKING POC
by Koshmare-Blossom · poc
https://gitlab.com/Koshmare-Blossom/PinTheft-go

This repository contains a functional exploit for CVE-2026-43494, leveraging a use-after-free vulnerability in the Linux kernel's io_uring subsystem to achieve local privilege escalation (LPE). The exploit manipulates reference counts and page cache to overwrite a SUID binary (e.g., /usr/bin/su) with a malicious payload, granting root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (io_uring subsystem)
No auth needed
Prerequisites: Linux kernel with vulnerable io_uring implementation · SUID binary (e.g., /usr/bin/su)
mistral-large-3 · analyzed May 25, 2026 Full analysis →
github WORKING POC
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-43494

This repository contains a functional local privilege escalation exploit for CVE-2026-43494, leveraging a double-free bug in the Linux kernel's RDS subsystem combined with io_uring to achieve page cache overwrite of SUID-root binaries.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel (with CONFIG_RDS and CONFIG_RDS_TCP enabled)
No auth needed
Prerequisites: Kernel with RDS and io_uring enabled · Readable SUID-root binary · x86_64 architecture
mistral-large-3 · analyzed May 23, 2026 Full analysis →
nomisec WORKING POC
by Koshmare-Blossom · poc
https://github.com/Koshmare-Blossom/PinTheft-go

This repository contains a functional exploit for CVE-2026-43494, leveraging io_uring and RDS (Reliable Datagram Sockets) to achieve local privilege escalation (LPE) by manipulating page cache refcounts and overwriting SUID binaries.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (specific version not specified)
No auth needed
Prerequisites: Linux system with vulnerable kernel · SUID binary presence · io_uring and RDS support
mistral-large-3 · analyzed May 23, 2026 Full analysis →

Scores

CVSS v3 7.8
EPSS 0.0027
EPSS Percentile 18.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-1341
Status published
Products (28)
linux/Kernel 4.17.0 - 5.10.258linux
linux/Kernel 5.11.0 - 5.15.209linux
linux/Kernel 5.16.0 - 6.1.175linux
linux/Kernel 6.13.0 - 6.18.33linux
linux/Kernel 6.19.0 - 7.0.10linux
linux/Kernel 6.2.0 - 6.6.141linux
linux/Kernel 6.7.0 - 6.12.91linux
Linux/Linux < 4.17
Linux/Linux 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 - 03014551938a0887fa55f18ce49b70158a9c0113
Linux/Linux 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 - 0bbbff00a15b1df2cac9014d6cf4b6890f473353
... and 18 more
Published May 21, 2026
Tracked Since May 21, 2026