# SLEY — PinTheft PoC (CVE-2026-43494)
Proof of concept — uid=1000(raken) → uid=0(root) after ./sley on WSL2 (6.6.87.2-microsoft-standard-WSL2)
Single-file proof-of-concept for **[CVE-2026-43494](https://nvd.nist.gov/vuln/detail/CVE-2026-43494)** (*PinTheft*): a Linux kernel local privilege escalation that chains an **RDS zerocopy reference-count bug** with **io_uring fixed buffers** to overwrite the page cache of a SUID-root binary.
## Overview
| Item | Detail |
|------|--------|
| **CVE** | [CVE-2026-43494](https://nvd.nist.gov/vuln/detail/CVE-2026-43494) |
| **Public name** | PinTheft |
| **Component** | `net/rds` — zerocopy send path (`rds_message_zcopy_from_user`) |
| **Primitive** | Double `put_page()` when page pin fails → steal `FOLL_PIN` refs |
| **Weaponization** | io_uring fixed buffer + RDS failing zerocopy → page-cache UAF write |
| **Impact** | Local root on vulnerable configurations |
| **Upstream fix** | [`e17492979319`](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e174929793195e0cd6a4adb0cad731b39f9019b4) |
Original public research and PoC were published by the **V12 Security** team (Aaron Esau). **SLEY** is an independent, compact reimplementation with a styled terminal UI for lab use and learning.
## How it works
flowchart LR
A[mmap anonymous page] --> B[io_uring: register fixed buffer]
B --> C[Clone buffer table to 2nd ring]
C --> D[1024× failing RDS zerocopy sends]
D --> E[Drain FOLL_PIN bias / steal refs]
E --> F[munmap → page freed]
F --> G[SUID binary page reclaimed in page cache]
G --> H[Stale io_uring ptr writes ELF stub]
H --> I[exec SUID → root shell]
1. **Recon** — Pin to CPU 0, locate a readable SUID binary (`su`, `mount`, `passwd`, …).
2. **io_uring setup** — Register the anonymous page as a fixed buffer (`FOLL_PIN` bias ≈ 1024).
3. **Pin theft** — Flood failing RDS zerocopy sends; each failure can drop an extra reference on the first pinned page.
4. **Reclaim & overwrite** — Unmap frees the page; reopening the SUID target races page-cache reclaim; stale fixed-buffer metadata allows writing a tiny x86_64 ELF stub into cache.
5. **Privesc** — `execve` the SUID binary runs the injected stub as root.
## Requirements
### Kernel / config
- Vulnerable (unpatched) Linux kernel with the RDS bug present
- `CONFIG_RDS=y` and `CONFIG_RDS_TCP=y`
- `CONFIG_IO_URING=y` and `kernel.io_uring_disabled = 0`
- `rds` / `rds_tcp` modules loaded (or autoloadable by unprivileged users)
- **Kernel ≥ 6.13** for `IORING_REGISTER_CLONE_BUFFERS` API used by the public chain
- **x86_64** for the embedded shell ELF payload in this PoC
### Build tools
sudo apt install build-essential linux-libc-dev # Debian/Ubuntu
# or equivalent headers package on your distro
### Permissions
- Unprivileged local user is sufficient on a **vulnerable** host (that is the threat model)
- Do **not** run on production systems
### Check exposure (read-only)
# Patched? (example — adjust for your distro)
uname -r
grep -r CVE-2026-43494 /usr/share/doc/linux* 2>/dev/null || true
# RDS available?
grep CONFIG_RDS /boot/config-$(uname -r) 2>/dev/null
lsmod | grep -E '^rds'
# io_uring enabled?
cat /proc/sys/kernel/io_uring_disabled # expect 0
## Build
gcc -O2 -Wall -Wextra -o sley sley.c
Static linking (optional, for minimal lab images):
gcc -O2 -static -o sley sley.c
## Usage
./sley
All status output goes to **stderr** (ANSI 256-color UI, progress bar, phased logging). Ensure your terminal supports **UTF-8** and **truecolor/256 colors** for the box-drawing UI.
Example phases:
PHASE 1 │ Reconnaissance
PHASE 2 │ Memory & io_uring setup
PHASE 3 │ Pin reference theft (RDS zerocopy)
PHASE 4 │ Page cache overwrite & privesc
### Expected result (vulnerable host)
On a successfully exploited configuration, the chain completes and hands off to the discovered SUID binary with an overwritten first page — yielding a **root shell** if the race and kernel state align.
On patched kernels, hardened hosts, or missing RDS/io_uring, the PoC will fail early (no SUID target, `mmap`/`io_uring`/`socket` errors, etc.).
## Mitigation
| Action | Notes |
|--------|-------|
| **Patch kernel** | Apply stable fix containing commit `e17492979319` |
| **Disable RDS** | `modprobe -r rds_tcp rds` (and block autoload) if not required |
| **Restrict io_uring** | `kernel.io_uring_disabled=1` or `2` via sysctl |
| **Least privilege** | Remove unnecessary SUID binaries; use containers with hardened profiles |
| **Monitor** | Alert on burst RDS zerocopy failures + io_uring buffer registration patterns |
Distro-specific security advisories may ship backported patches — track your vendor’s kernel security queue.
## Project layout
.
├── README.md # This file
├── proof-of-concept.jpg # Screenshot: successful LPE (uid 1000 → root)
├── sley.c # Single-file PoC + terminal UI
└── .gitignore
## References
- [NVD — CVE-2026-43494](https://nvd.nist.gov/vuln/detail/CVE-2026-43494)
- [oss-security — PinTheft discussion](https://www.openwall.com/lists/oss-security/2026/05/21/2)
- [Kernel fix commit](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e174929793195e0cd6a4adb0cad731b39f9019b4)
## Legal
This software is provided **as-is** for research and education. You are responsible for complying with applicable laws and obtaining written authorization before testing any system you do not own.
## License
MIT — see repository license file if added. Use responsibly.
