CVE-2026-43494

ANALYSIS PENDING

net/rds: reset op_nents when zerocopy page pin fails

Title source: cna

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-43494. PoCs published by Unclecheng-li, 0xBlackash, Koshmare-Blossom.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-43494, leveraging a double-free vulnerability in the Linux kernel's RDS zcopy mechanism combined with io_uring to achieve local privilege escalation (LPE). The exploit manipulates page references, bypasses kernel protections like init_on_alloc, and overwrites page cache to execute arbitrary code as root.

Description

In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().

Exploits (3)

github WORKING POC 95 stars

by Unclecheng-li · cpoc

https://github.com/Unclecheng-li/poc-lab/tree/main/CVE-2026-43494 PinTheft

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-43494, leveraging a double-free vulnerability in the Linux kernel's RDS zcopy mechanism combined with io_uring to achieve local privilege escalation (LPE). The exploit manipulates page references, bypasses kernel protections like init_on_alloc, and overwrites page cache to execute arbitrary code as root.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux Kernel (with CONFIG_RDS, CONFIG_RDS_TCP, and CONFIG_IO_URING)

No auth needed

Prerequisites: CONFIG_RDS enabled · CONFIG_RDS_TCP enabled · CONFIG_IO_URING enabled · io_uring_disabled=0 · readable suid-root binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 22, 2026 Full analysis →

github WORKING POC

by 0xBlackash · poc

https://github.com/0xBlackash/CVE-2026-43494

View Code ZIP pw:eip

This repository contains a functional local privilege escalation exploit for CVE-2026-43494, leveraging a double-free bug in the Linux kernel's RDS subsystem combined with io_uring to achieve page cache overwrite of SUID-root binaries.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux Kernel (with CONFIG_RDS and CONFIG_RDS_TCP enabled)

No auth needed

Prerequisites: Kernel with RDS and io_uring enabled · Readable SUID-root binary · x86_64 architecture

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 23, 2026 Full analysis →

nomisec WORKING POC

by Koshmare-Blossom · poc

https://github.com/Koshmare-Blossom/PinTheft-go

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-43494, leveraging io_uring and RDS (Reliable Datagram Sockets) to achieve local privilege escalation (LPE) by manipulating page cache refcounts and overwriting SUID binaries.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel (specific version not specified)

No auth needed

Prerequisites: Linux system with vulnerable kernel · SUID binary presence · io_uring and RDS support

MITRE ATT&CK