CVE-2026-43494

Published May 21, 2026

Last updated 8 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-43494, also known as "PinTheft," is a vulnerability found in the Linux kernel's Reliable Datagram Sockets (RDS) networking code. The core issue stems from an accounting error within the RDS zerocopy mechanism, where the `op_nents` counter is not properly reset when a page pin operation fails during `rds_message_zcopy_from_user()`. This oversight can lead to a double-free or a reference-counting anomaly within the kernel's memory management. This vulnerability becomes particularly impactful when chained with `io_uring` fixed buffers. The exploitation involves repeatedly draining page references through the RDS zerocopy failure path. This manipulation can cause `io_uring` to retain a pointer to a page that has already been freed and potentially reallocated, allowing an attacker to overwrite the in-memory page cache of a SUID-root program and achieve local privilege escalation.

Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Modified
Products
linux_kernel

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

nvd@nist.gov
NVD-CWE-noinfo
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CWE-1341

Social media

Hype score
Not currently trending

Configurations