0xBlackash/CVE-2026-43494

GitHub: 0xBlackash/CVE-2026-43494

Stars: 2 | Forks: 1

# 🛠️ PinTheft — CVE-2026-43494 ChatGPT Image May 23, 2026, 09_07_08 AM **Local Privilege Escalation in Linux Kernel via RDS + io_uring Page Cache Overwrite** ![Linux](https://img.shields.io/badge/Linux-Kernel-red?style=for-the-badge) ![Exploit](https://img.shields.io/badge/Exploit-Working-brightgreen?style=for-the-badge) ![Architecture](https://img.shields.io/badge/Architecture-x86__64-yellow?style=for-the-badge)
## 📌 Overview **PinTheft** is a sophisticated local root exploit for **CVE-2026-43494**, a reference-counting bug in the Linux kernel's Reliable Datagram Sockets (RDS) subsystem. By combining a double-free in RDS zero-copy path with io_uring's fixed buffers, the exploit achieves reliable **page cache overwrite** of SUID-root binaries, resulting in **local privilege escalation** to root. ## 🧪 Vulnerability Details - **Component**: `net/rds` - **Trigger**: Failure path in `rds_message_zcopy_from_user()` → incorrect `op_nents` handling - **Root Cause**: Double `put_page()` after failed `iov_iter_get_pages2()` - **Impact**: Unprivileged local user → **root** **CVSS Score**: ~7.8 (High) ## 🎯 Exploit Technique ("PinTheft") 1. **Pin target page** using `io_uring REGISTER_BUFFERS` (+1024 FOLL_PIN references) 2. **Clone buffers** to second ring + hold with daemon (prevents unpin on close) 3. **Steal all 1024 pins** using repeated failing RDS zero-copy `sendmsg` 4. `munmap()` → clean free to PCP (LIFO) 5. Trigger page cache reclaim of a **readable SUID binary** 6. Overwrite the reclaimed page using `IORING_OP_READ_FIXED` via dangling `struct page*` 7. Execute the modified SUID binary → root shell **Bypasses**: - `CONFIG_INIT_ON_ALLOC_DEFAULT_ON` - `bad_page()` checks - io_uring unpin on ring destruction ## 📋 Requirements - Kernel with `CONFIG_RDS` and `CONFIG_RDS_TCP` enabled - `io_uring` enabled (`kernel.io_uring_disabled=0`) - Kernel ≥ 6.13 (for optimal io_uring features) - At least one **readable** SUID-root binary on the system - x86_64 architecture **Not vulnerable by default** on most distros (RDS is rarely enabled). ## 🚀 Usage # 1. Clone & Compile git clone https://github.com/0xBlackash/CVE-2026-43494.git cd CVE-2026-43494 gcc -O2 -static CVE-2026-43494.c -o pintheft # 2. Run sudo ./pintheft CVE-2026-43494 ## 📁 Files - `CVE-2026-43494.c` — Full exploit source (PinTheft) - `README.md` — This document - `backup/` — Automatic backups of overwritten SUID binaries ## 🛡️ Mitigation # Disable RDS echo "install rds /bin/false" | sudo tee /etc/modprobe.d/disable-rds.conf echo "install rds_tcp /bin/false" | sudo tee -a /etc/modprobe.d/disable-rds.conf sudo modprobe -r rds_tcp rds # Disable io_uring (if unused) echo "kernel.io_uring_disabled=2" | sudo tee -a /etc/sysctl.conf sudo sysctl -p **Update your kernel** as soon as patches are available. ## 🔍 Verification # Check if vulnerable modprobe -n rds_tcp && echo "RDS: Vulnerable" cat /proc/sys/kernel/io_uring_disabled uname -r ## ⚠️ Disclaimer - This exploit is for **educational and authorized testing** only. - Misuse may destabilize the system or cause data loss. - Always test in isolated virtual machines.
标签:客户端加密