Share
## https://sploitus.com/exploit?id=4B2935BC-24A1-5D4F-9B19-CE476E44512E
# SLEY β€” PinTheft PoC (CVE-2026-43494)


  
    
  



  Proof of concept β€” uid=1000(raken) β†’ uid=0(root) after ./sley on WSL2 (6.6.87.2-microsoft-standard-WSL2)



  
  
  
  


Single-file proof-of-concept for **[CVE-2026-43494](https://nvd.nist.gov/vuln/detail/CVE-2026-43494)** (*PinTheft*): a Linux kernel local privilege escalation that chains an **RDS zerocopy reference-count bug** with **io_uring fixed buffers** to overwrite the page cache of a SUID-root binary.

> **Disclaimer:** This repository is for **authorized security research, education, and defensive testing only**. Running this against systems you do not own or lack explicit permission to test is illegal and unethical. The authors assume no liability for misuse.

---

## Overview

| Item | Detail |
|------|--------|
| **CVE** | [CVE-2026-43494](https://nvd.nist.gov/vuln/detail/CVE-2026-43494) |
| **Public name** | PinTheft |
| **Component** | `net/rds` β€” zerocopy send path (`rds_message_zcopy_from_user`) |
| **Primitive** | Double `put_page()` when page pin fails β†’ steal `FOLL_PIN` refs |
| **Weaponization** | io_uring fixed buffer + RDS failing zerocopy β†’ page-cache UAF write |
| **Impact** | Local root on vulnerable configurations |
| **Upstream fix** | [`e17492979319`](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e174929793195e0cd6a4adb0cad731b39f9019b4) |

Original public research and PoC were published by the **V12 Security** team (Aaron Esau). **SLEY** is an independent, compact reimplementation with a styled terminal UI for lab use and learning.

---

## How it works

```mermaid
flowchart LR
    A[mmap anonymous page] --> B[io_uring: register fixed buffer]
    B --> C[Clone buffer table to 2nd ring]
    C --> D[1024Γ— failing RDS zerocopy sends]
    D --> E[Drain FOLL_PIN bias / steal refs]
    E --> F[munmap β†’ page freed]
    F --> G[SUID binary page reclaimed in page cache]
    G --> H[Stale io_uring ptr writes ELF stub]
    H --> I[exec SUID β†’ root shell]
```

1. **Recon** β€” Pin to CPU 0, locate a readable SUID binary (`su`, `mount`, `passwd`, …).
2. **io_uring setup** β€” Register the anonymous page as a fixed buffer (`FOLL_PIN` bias β‰ˆ 1024).
3. **Pin theft** β€” Flood failing RDS zerocopy sends; each failure can drop an extra reference on the first pinned page.
4. **Reclaim & overwrite** β€” Unmap frees the page; reopening the SUID target races page-cache reclaim; stale fixed-buffer metadata allows writing a tiny x86_64 ELF stub into cache.
5. **Privesc** β€” `execve` the SUID binary runs the injected stub as root.

---

## Requirements

### Kernel / config

- Vulnerable (unpatched) Linux kernel with the RDS bug present
- `CONFIG_RDS=y` and `CONFIG_RDS_TCP=y`
- `CONFIG_IO_URING=y` and `kernel.io_uring_disabled = 0`
- `rds` / `rds_tcp` modules loaded (or autoloadable by unprivileged users)
- **Kernel β‰₯ 6.13** for `IORING_REGISTER_CLONE_BUFFERS` API used by the public chain
- **x86_64** for the embedded shell ELF payload in this PoC

### Build tools

```bash
sudo apt install build-essential linux-libc-dev   # Debian/Ubuntu
# or equivalent headers package on your distro
```

### Permissions

- Unprivileged local user is sufficient on a **vulnerable** host (that is the threat model)
- Do **not** run on production systems

### Check exposure (read-only)

```bash
# Patched? (example β€” adjust for your distro)
uname -r
grep -r CVE-2026-43494 /usr/share/doc/linux* 2>/dev/null || true

# RDS available?
grep CONFIG_RDS /boot/config-$(uname -r) 2>/dev/null
lsmod | grep -E '^rds'

# io_uring enabled?
cat /proc/sys/kernel/io_uring_disabled  # expect 0
```

---

## Build

```bash
gcc -O2 -Wall -Wextra -o sley sley.c
```

Static linking (optional, for minimal lab images):

```bash
gcc -O2 -static -o sley sley.c
```

---

## Usage

```bash
./sley
```

All status output goes to **stderr** (ANSI 256-color UI, progress bar, phased logging). Ensure your terminal supports **UTF-8** and **truecolor/256 colors** for the box-drawing UI.

Example phases:

```
PHASE 1 β”‚ Reconnaissance
PHASE 2 β”‚ Memory & io_uring setup
PHASE 3 β”‚ Pin reference theft (RDS zerocopy)
PHASE 4 β”‚ Page cache overwrite & privesc
```

### Expected result (vulnerable host)

On a successfully exploited configuration, the chain completes and hands off to the discovered SUID binary with an overwritten first page β€” yielding a **root shell** if the race and kernel state align.

On patched kernels, hardened hosts, or missing RDS/io_uring, the PoC will fail early (no SUID target, `mmap`/`io_uring`/`socket` errors, etc.).

---

## Mitigation

| Action | Notes |
|--------|-------|
| **Patch kernel** | Apply stable fix containing commit `e17492979319` |
| **Disable RDS** | `modprobe -r rds_tcp rds` (and block autoload) if not required |
| **Restrict io_uring** | `kernel.io_uring_disabled=1` or `2` via sysctl |
| **Least privilege** | Remove unnecessary SUID binaries; use containers with hardened profiles |
| **Monitor** | Alert on burst RDS zerocopy failures + io_uring buffer registration patterns |

Distro-specific security advisories may ship backported patches β€” track your vendor’s kernel security queue.

---

## Project layout

```
.
β”œβ”€β”€ README.md              # This file
β”œβ”€β”€ proof-of-concept.jpg   # Screenshot: successful LPE (uid 1000 β†’ root)
β”œβ”€β”€ sley.c                 # Single-file PoC + terminal UI
└── .gitignore
```

---

## References

- [NVD β€” CVE-2026-43494](https://nvd.nist.gov/vuln/detail/CVE-2026-43494)
- [oss-security β€” PinTheft discussion](https://www.openwall.com/lists/oss-security/2026/05/21/2)
- [Kernel fix commit](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e174929793195e0cd6a4adb0cad731b39f9019b4)

---

## Legal

This software is provided **as-is** for research and education. You are responsible for complying with applicable laws and obtaining written authorization before testing any system you do not own.

---

## License

MIT β€” see repository license file if added. Use responsibly.