Re: PinTheft Linux LPE

[Marcus Meissner <meissner () suse de>]

Hi,

CVE-2026-43494 was assigned by the Kernel CNA to the fix in 
commit e174929793195e0cd6a4adb0cad731b39f9019b4.

Ciao, Marcus
On Tue, May 19, 2026 at 09:41:07PM +0200, Jelle van der Waa wrote:
> On 19/05/2026 18:24, Sam James wrote:
> > Sam James <sam () gentoo org> writes:
> >
> > > v12-security have shared a new Linux LPE today, PinTheft [0].
> > >
> > > Quoting their abstract:
> > > > PinTheft is a Linux local privilege escalation exploit for an RDS
> > > > zerocopy double-free that can be turned into a page-cache overwrite
> > > > through io_uring fixed buffers.
> > > >
> > > > PinTheft was discovered with V12 by Aaron Esau of the V12 security
> > > > team. We duped on this bug with some other teams and a patch is
> > > > available so we are releasing our PoC.
> > > >
> > > > The bug lived in the RDS zerocopy send
> > > > path. rds_message_zcopy_from_user() pins user pages one at a time. If
> > > > a later page faults, the error path drops the pages it already pinned,
> > > > and later RDS message cleanup drops them again because the scatterlist
> > > > entries and entry count remain live after the zcopy notifier is
> > > > cleared. Each failed zerocopy send can steal one reference from the first page.
> > > >
> > > > The PoC uses io_uring to make that refcount bug useful. It registers
> > > > an anonymous page as a fixed buffer, giving the page a FOLL_PIN bias
> > > > of 1024 references. It then steals those references with failing RDS
> > > > zerocopy sends, frees the page, reclaims it as page cache for a
> > > > SUID-root binary, and uses the stale io_uring fixed-buffer page
> > > > pointer to overwrite that page cache with a small ELF
> > > > payload. Executing the SUID binary drops into a root shell.
> > > >
> > > > Sadly, the RDS kernel module this requires is only default on Arch
> > > > Linux among the common distributions we tested.
> >
> > While of course I can't know what distros they tested, this does
> > seem to be on in at least Fedora too? https://oracle.github.io/kconfigs/
> > seems to agree with that.
> Fedora seems "unaffected", CONFIG_RDS=m is set in Fedora unlike RHEL and the
> kernel module is packaged in kernel-modules-extra which my Fedora Cloud
> Edition does not have pre-installed. [1] [2]
>
> After installing kernel-modules-extra, the modprobe config file still
> prevents it from being loaded:
>
> [root@fedora-44-127-0-0-2-2201 ~]# rpm -ql kernel-modules-extra | grep rds
> /etc/modprobe.d/rds-blacklist.conf
> /lib/modules/7.0.8-200.fc44.x86_64/kernel/net/rds/rds.ko.xz
> /lib/modules/7.0.8-200.fc44.x86_64/kernel/net/rds/rds_rdma.ko.xz
> /lib/modules/7.0.8-200.fc44.x86_64/kernel/net/rds/rds_tcp.ko.xz
>
> [root@fedora-44-127-0-0-2-2201 ~]# modprobe rds
> modprobe: FATAL: Module rds not found in directory
> /lib/modules/7.0.4-200.fc44.x86_64
>
> [1] https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/kernel-x86_64-fedora.config#_5970
> [2] https://gitlab.com/cki-project/kernel-ark/-/blob/os-build/redhat/configs/rhel/generic/CONFIG_RDS

-- 
Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security
SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, HRB 36809, AG Nuernberg