Hi, CVE-2026-43494 was assigned by the Kernel CNA to the fix in commit e174929793195e0cd6a4adb0cad731b39f9019b4.
Ciao, Marcus On Tue, May 19, 2026 at 09:41:07PM +0200, Jelle van der Waa wrote: > > > On 19/05/2026 18:24, Sam James wrote: > > Sam James <[email protected]> writes: > > > > > v12-security have shared a new Linux LPE today, PinTheft [0]. > > > > > > Quoting their abstract: > > > > PinTheft is a Linux local privilege escalation exploit for an RDS > > > > zerocopy double-free that can be turned into a page-cache overwrite > > > > through io_uring fixed buffers. > > > > > > > > PinTheft was discovered with V12 by Aaron Esau of the V12 security > > > > team. We duped on this bug with some other teams and a patch is > > > > available so we are releasing our PoC. > > > > > > > > The bug lived in the RDS zerocopy send > > > > path. rds_message_zcopy_from_user() pins user pages one at a time. If > > > > a later page faults, the error path drops the pages it already pinned, > > > > and later RDS message cleanup drops them again because the scatterlist > > > > entries and entry count remain live after the zcopy notifier is > > > > cleared. Each failed zerocopy send can steal one reference from the > > > > first page. > > > > > > > > The PoC uses io_uring to make that refcount bug useful. It registers > > > > an anonymous page as a fixed buffer, giving the page a FOLL_PIN bias > > > > of 1024 references. It then steals those references with failing RDS > > > > zerocopy sends, frees the page, reclaims it as page cache for a > > > > SUID-root binary, and uses the stale io_uring fixed-buffer page > > > > pointer to overwrite that page cache with a small ELF > > > > payload. Executing the SUID binary drops into a root shell. > > > > > > > > Sadly, the RDS kernel module this requires is only default on Arch > > > > Linux among the common distributions we tested. > > > > While of course I can't know what distros they tested, this does > > seem to be on in at least Fedora too? https://oracle.github.io/kconfigs/ > > seems to agree with that. > Fedora seems "unaffected", CONFIG_RDS=m is set in Fedora unlike RHEL and the > kernel module is packaged in kernel-modules-extra which my Fedora Cloud > Edition does not have pre-installed. [1] [2] > > After installing kernel-modules-extra, the modprobe config file still > prevents it from being loaded: > > [root@fedora-44-127-0-0-2-2201 ~]# rpm -ql kernel-modules-extra | grep rds > /etc/modprobe.d/rds-blacklist.conf > /lib/modules/7.0.8-200.fc44.x86_64/kernel/net/rds/rds.ko.xz > /lib/modules/7.0.8-200.fc44.x86_64/kernel/net/rds/rds_rdma.ko.xz > /lib/modules/7.0.8-200.fc44.x86_64/kernel/net/rds/rds_tcp.ko.xz > > [root@fedora-44-127-0-0-2-2201 ~]# modprobe rds > modprobe: FATAL: Module rds not found in directory > /lib/modules/7.0.4-200.fc44.x86_64 > > [1] > https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/kernel-x86_64-fedora.config#_5970 > [2] > https://gitlab.com/cki-project/kernel-ark/-/blob/os-build/redhat/configs/rhel/generic/CONFIG_RDS -- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, HRB 36809, AG Nuernberg
