CVE-2026-43494
net/rds: reset op_nents when zerocopy page pin fails
Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().
INFO
Published Date :
May 21, 2026, 12:16 p.m.
Last Modified :
June 1, 2026, 5:17 p.m.
Remotely Exploit :
No
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Solution
- Apply the provided Linux kernel patch.
- Ensure op_nents is correctly reset.
- Verify rds_message_purge cleanup logic.
- Test the fix in the rds_message_zcopy_from_user function.
Public PoC/Exploit Available at Github
CVE-2026-43494 has a 12 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-43494.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-43494 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-43494
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Personal fork of Joshua-Riek/ubuntu-rockchip image builder for Orange Pi 5B
arm64 orangepi orangepi5b rk3588 rockchip ubuntu securitypatches
Shell Makefile
None
C
Linux page-cache injector for cross-container escape. Multiple kernel write primitives
Makefile C Shell Assembly
Proof-of-concept for CVE-2026-43494 (PinTheft): Linux LPE via RDS zerocopy refcount bug + io_uring fixed buffers → SUID page-cache overwrite. Authorized research only.
C
CVE-2026-43494
C
A Go implementation of PinTheft (CVE-2026-43494)
Go
Патч-скрипты для устранения критических уязвимостей (Copy Fail, Dirty Frag, PinTheft, GRO Frag) в РЕД ОС 7.3 и РЕД ОС 8.0
fstec linux-kernel security-scripts red-os cve-mitigation
Shell
Linux local privilege escalation PoCs and mitigations.
C Makefile
Linux 打靶常用工具整合套件 爱来自 ll ❤️
Makefile C Python Shell Assembly PHP
GYscan是一款基于Go语言开发的现代化综合渗透测试工具,专为安全研究人员、渗透测试工程师和红队成员设计。项目采用模块化架构,包含C2服务器端和客户端组件,支持Windows和Linux平台,提供系统安全分析和漏洞扫描功能。
DSA and DLA for Debian last 14 days
Python
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-43494 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-43494 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Jun. 01, 2026
Action Type Old Value New Value Added Reference https://git.kernel.org/stable/c/03014551938a0887fa55f18ce49b70158a9c0113 Added Reference https://git.kernel.org/stable/c/c6e51512a784c4a7b86e1a044988696e3b3721fa Added Reference https://git.kernel.org/stable/c/d84ce1786ce40fdd3dd98db47aec5527817e1ef6 -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 30, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 23, 2026
Action Type Old Value New Value Added Reference https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353 Added Reference https://git.kernel.org/stable/c/290e833d1acb1093bc121fcdc97f5e6161157479 Added Reference https://git.kernel.org/stable/c/640e37f58f991546a87540d067279c2c1fa9fe51 Added Reference https://git.kernel.org/stable/c/9115669faedccdda100428e2d26fd0aac8c50799 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
May. 21, 2026
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2026/05/21/2 -
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 21, 2026
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user(). Added Reference https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4