7.8
HIGH CVSS 3.1
CVE-2026-43494
net/rds: reset op_nents when zerocopy page pin fails
Description

In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().

INFO

Published Date :

May 21, 2026, 12:16 p.m.

Last Modified :

June 30, 2026, 3:19 a.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products

The following products are affected by CVE-2026-43494 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS 3.1 HIGH 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Solution
Apply kernel patch to fix memory corruption by resetting op_nents on page pin failure.
  • Apply the provided Linux kernel patch.
  • Ensure op_nents is correctly reset.
  • Verify rds_message_purge cleanup logic.
  • Test the fix in the rds_message_zcopy_from_user function.
Public PoC/Exploit Available at Github

CVE-2026-43494 has a 14 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-43494 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-43494 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Personal fork of Joshua-Riek/ubuntu-rockchip image builder for Orange Pi 5B

arm64 orangepi orangepi5b rk3588 rockchip ubuntu securitypatches

Shell Makefile

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : May 31, 2026, 4:50 p.m. This repo has been linked 5 different CVEs too.

None

C

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : May 30, 2026, 11:44 a.m. This repo has been linked 1 different CVEs too.

RootHawkX 是一个 Linux 本地安全测试终端工具,本项目基于RootHawk进行修改,集成了更多漏洞利用模块。

Go C Batchfile Shell

Updated: 3 days, 1 hour ago
23 stars 5 fork 5 watcher
Born at : May 29, 2026, 9:41 a.m. This repo has been linked 10 different CVEs too.

Linux page-cache injector for cross-container escape. Multiple kernel write primitives

Makefile C Shell Assembly

Updated: 1 month, 1 week ago
1 stars 0 fork 0 watcher
Born at : May 26, 2026, 12:15 p.m. This repo has been linked 4 different CVEs too.

Proof-of-concept for CVE-2026-43494 (PinTheft): Linux LPE via RDS zerocopy refcount bug + io_uring fixed buffers → SUID page-cache overwrite. Authorized research only.

C

Updated: 1 month, 1 week ago
3 stars 3 fork 3 watcher
Born at : May 25, 2026, 7:45 a.m. This repo has been linked 1 different CVEs too.

CVE-2026-43494

C

Updated: 1 month, 1 week ago
0 stars 0 fork 0 watcher
Born at : May 22, 2026, 7:29 p.m. This repo has been linked 1 different CVEs too.

A Go implementation of PinTheft (CVE-2026-43494)

Go

Updated: 1 month, 1 week ago
0 stars 1 fork 1 watcher
Born at : May 22, 2026, 7:25 p.m. This repo has been linked 1 different CVEs too.

Патч-скрипты для устранения критических уязвимостей (Copy Fail, Dirty Frag, PinTheft, GRO Frag) в РЕД ОС 7.3 и РЕД ОС 8.0

fstec linux-kernel security-scripts red-os cve-mitigation

Shell

Updated: 4 weeks ago
1 stars 0 fork 0 watcher
Born at : May 21, 2026, 7:11 p.m. This repo has been linked 7 different CVEs too.

Linux local privilege escalation PoCs and mitigations.

C Makefile

Updated: 4 weeks, 1 day ago
1 stars 0 fork 0 watcher
Born at : May 20, 2026, 10:21 a.m. This repo has been linked 8 different CVEs too.

Linux提权

Go C

Updated: 2 days, 1 hour ago
78 stars 16 fork 16 watcher
Born at : May 15, 2026, 8:42 a.m. This repo has been linked 9 different CVEs too.

Linux 打靶常用工具整合套件 爱来自 ll ❤️

Makefile C Python Shell Assembly PHP

Updated: 1 week, 4 days ago
43 stars 9 fork 9 watcher
Born at : May 3, 2026, 12:13 p.m. This repo has been linked 12 different CVEs too.

GYscan是一款基于Go语言开发的现代化综合渗透测试工具,专为安全研究人员、渗透测试工程师和红队成员设计。项目采用模块化架构,包含C2服务器端和客户端组件,支持Windows和Linux平台,提供系统安全分析和漏洞扫描功能。

Updated: 1 week, 5 days ago
79 stars 12 fork 12 watcher
Born at : Nov. 8, 2025, 4:18 p.m. This repo has been linked 26 different CVEs too.

DSA and DLA for Debian last 14 days

Python

Updated: 3 weeks, 6 days ago
0 stars 1 fork 1 watcher
Born at : Feb. 12, 2025, 2:08 p.m. This repo has been linked 1048 different CVEs too.

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 3 weeks, 6 days ago
7810 stars 1261 fork 1261 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 718 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-43494 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2026-43494 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 0b0ca135-0b70-47e7-9f44-1890c2a1c46c

    Jun. 30, 2026

    Action Type Old Value New Value
    Added Affected [{'cpes': ['cpe:/o:redhat:enterprise_linux:10'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 10', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:6'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 6', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:7'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 7', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:8'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 8', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:9'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 9', 'defaultStatus': 'unaffected'}]
    Added CVSS V3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-1341
    Added Reference https://access.redhat.com/security/cve/CVE-2026-43494
    Added Reference https://bugzilla.redhat.com/show_bug.cgi?id=2480434
    Added Reference https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43494.json
  • Initial Analysis by [email protected]

    Jun. 26, 2026

    Action Type Old Value New Value
    Added CWE NVD-CWE-noinfo
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.141 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.12.91 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 up to (excluding) 6.18.33 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.19 up to (excluding) 7.0.10 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.175 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.209 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.17 up to (excluding) 5.10.258
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/03014551938a0887fa55f18ce49b70158a9c0113 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/290e833d1acb1093bc121fcdc97f5e6161157479 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/640e37f58f991546a87540d067279c2c1fa9fe51 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/9115669faedccdda100428e2d26fd0aac8c50799 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/c6e51512a784c4a7b86e1a044988696e3b3721fa Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/d84ce1786ce40fdd3dd98db47aec5527817e1ef6 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4 Types: Patch
    Added Reference Type kernel.org: https://github.com/v12-security/pocs/tree/main/pintheft Types: Exploit, Third Party Advisory
    Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2026/05/21/2 Types: Mailing List
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 17, 2026

    Action Type Old Value New Value
    Added Affected [{'repo': 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git', 'vendor': 'Linux', 'product': 'Linux', 'versions': [{'status': 'affected', 'version': '0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3', 'lessThan': 'c6e51512a784c4a7b86e1a044988696e3b3721fa', 'versionType': 'git'}, {'status': 'affected', 'version': '0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3', 'lessThan': '03014551938a0887fa55f18ce49b70158a9c0113', 'versionType': 'git'}, {'status': 'affected', 'version': '0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3', 'lessThan': 'd84ce1786ce40fdd3dd98db47aec5527817e1ef6', 'versionType': 'git'}, {'status': 'affected', 'version': '0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3', 'lessThan': '9115669faedccdda100428e2d26fd0aac8c50799', 'versionType': 'git'}, {'status': 'affected', 'version': '0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3', 'lessThan': '0bbbff00a15b1df2cac9014d6cf4b6890f473353', 'versionType': 'git'}, {'status': 'affected', 'version': '0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3', 'lessThan': '640e37f58f991546a87540d067279c2c1fa9fe51', 'versionType': 'git'}, {'status': 'affected', 'version': '0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3', 'lessThan': '290e833d1acb1093bc121fcdc97f5e6161157479', 'versionType': 'git'}, {'status': 'affected', 'version': '0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3', 'lessThan': 'e174929793195e0cd6a4adb0cad731b39f9019b4', 'versionType': 'git'}], 'programFiles': ['net/rds/message.c'], 'defaultStatus': 'unaffected'}, {'repo': 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git', 'vendor': 'Linux', 'product': 'Linux', 'versions': [{'status': 'affected', 'version': '4.17'}, {'status': 'unaffected', 'version': '0', 'lessThan': '4.17', 'versionType': 'semver'}, {'status': 'unaffected', 'version': '5.10.258', 'versionType': 'semver', 'lessThanOrEqual': '5.10.*'}, {'status': 'unaffected', 'version': '5.15.209', 'versionType': 'semver', 'lessThanOrEqual': '5.15.*'}, {'status': 'unaffected', 'version': '6.1.175', 'versionType': 'semver', 'lessThanOrEqual': '6.1.*'}, {'status': 'unaffected', 'version': '6.6.141', 'versionType': 'semver', 'lessThanOrEqual': '6.6.*'}, {'status': 'unaffected', 'version': '6.12.91', 'versionType': 'semver', 'lessThanOrEqual': '6.12.*'}, {'status': 'unaffected', 'version': '6.18.33', 'versionType': 'semver', 'lessThanOrEqual': '6.18.*'}, {'status': 'unaffected', 'version': '7.0.10', 'versionType': 'semver', 'lessThanOrEqual': '7.0.*'}, {'status': 'unaffected', 'version': '7.1', 'versionType': 'original_commit_for_fix', 'lessThanOrEqual': '*'}], 'programFiles': ['net/rds/message.c'], 'defaultStatus': 'affected'}]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 12, 2026

    Action Type Old Value New Value
    Added Reference https://github.com/v12-security/pocs/tree/main/pintheft
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 01, 2026

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/03014551938a0887fa55f18ce49b70158a9c0113
    Added Reference https://git.kernel.org/stable/c/c6e51512a784c4a7b86e1a044988696e3b3721fa
    Added Reference https://git.kernel.org/stable/c/d84ce1786ce40fdd3dd98db47aec5527817e1ef6
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 30, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 23, 2026

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353
    Added Reference https://git.kernel.org/stable/c/290e833d1acb1093bc121fcdc97f5e6161157479
    Added Reference https://git.kernel.org/stable/c/640e37f58f991546a87540d067279c2c1fa9fe51
    Added Reference https://git.kernel.org/stable/c/9115669faedccdda100428e2d26fd0aac8c50799
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    May. 21, 2026

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2026/05/21/2
  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 21, 2026

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().
    Added Reference https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.