CVE-2026-43494

Published May 21, 2026

Last updated 2 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-43494, also known as "PinTheft," is a vulnerability found in the Linux kernel's Reliable Datagram Sockets (RDS) networking code. The core issue stems from an accounting error within the RDS zerocopy mechanism, where the `op_nents` counter is not properly reset when a page pin operation fails during `rds_message_zcopy_from_user()`. This oversight can lead to a double-free or a reference-counting anomaly within the kernel's memory management. This vulnerability becomes particularly impactful when chained with `io_uring` fixed buffers. The exploitation involves repeatedly draining page references through the RDS zerocopy failure path. This manipulation can cause `io_uring` to retain a pointer to a page that has already been freed and potentially reallocated, allowing an attacker to overwrite the in-memory page cache of a SUID-root program and achieve local privilege escalation.

Description: In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status: Received

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 30

References

Sources include official advisories and independent security research.

Overview

AI description

Social media

References