## https://sploitus.com/exploit?id=4B2935BC-24A1-5D4F-9B19-CE476E44512E
# SLEY β PinTheft PoC (CVE-2026-43494)
Proof of concept β uid=1000(raken) β uid=0(root) after ./sley on WSL2 (6.6.87.2-microsoft-standard-WSL2)
Single-file proof-of-concept for **[CVE-2026-43494](https://nvd.nist.gov/vuln/detail/CVE-2026-43494)** (*PinTheft*): a Linux kernel local privilege escalation that chains an **RDS zerocopy reference-count bug** with **io_uring fixed buffers** to overwrite the page cache of a SUID-root binary.
> **Disclaimer:** This repository is for **authorized security research, education, and defensive testing only**. Running this against systems you do not own or lack explicit permission to test is illegal and unethical. The authors assume no liability for misuse.
---
## Overview
| Item | Detail |
|------|--------|
| **CVE** | [CVE-2026-43494](https://nvd.nist.gov/vuln/detail/CVE-2026-43494) |
| **Public name** | PinTheft |
| **Component** | `net/rds` β zerocopy send path (`rds_message_zcopy_from_user`) |
| **Primitive** | Double `put_page()` when page pin fails β steal `FOLL_PIN` refs |
| **Weaponization** | io_uring fixed buffer + RDS failing zerocopy β page-cache UAF write |
| **Impact** | Local root on vulnerable configurations |
| **Upstream fix** | [`e17492979319`](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e174929793195e0cd6a4adb0cad731b39f9019b4) |
Original public research and PoC were published by the **V12 Security** team (Aaron Esau). **SLEY** is an independent, compact reimplementation with a styled terminal UI for lab use and learning.
---
## How it works
```mermaid
flowchart LR
A[mmap anonymous page] --> B[io_uring: register fixed buffer]
B --> C[Clone buffer table to 2nd ring]
C --> D[1024Γ failing RDS zerocopy sends]
D --> E[Drain FOLL_PIN bias / steal refs]
E --> F[munmap β page freed]
F --> G[SUID binary page reclaimed in page cache]
G --> H[Stale io_uring ptr writes ELF stub]
H --> I[exec SUID β root shell]
```
1. **Recon** β Pin to CPU 0, locate a readable SUID binary (`su`, `mount`, `passwd`, β¦).
2. **io_uring setup** β Register the anonymous page as a fixed buffer (`FOLL_PIN` bias β 1024).
3. **Pin theft** β Flood failing RDS zerocopy sends; each failure can drop an extra reference on the first pinned page.
4. **Reclaim & overwrite** β Unmap frees the page; reopening the SUID target races page-cache reclaim; stale fixed-buffer metadata allows writing a tiny x86_64 ELF stub into cache.
5. **Privesc** β `execve` the SUID binary runs the injected stub as root.
---
## Requirements
### Kernel / config
- Vulnerable (unpatched) Linux kernel with the RDS bug present
- `CONFIG_RDS=y` and `CONFIG_RDS_TCP=y`
- `CONFIG_IO_URING=y` and `kernel.io_uring_disabled = 0`
- `rds` / `rds_tcp` modules loaded (or autoloadable by unprivileged users)
- **Kernel β₯ 6.13** for `IORING_REGISTER_CLONE_BUFFERS` API used by the public chain
- **x86_64** for the embedded shell ELF payload in this PoC
### Build tools
```bash
sudo apt install build-essential linux-libc-dev # Debian/Ubuntu
# or equivalent headers package on your distro
```
### Permissions
- Unprivileged local user is sufficient on a **vulnerable** host (that is the threat model)
- Do **not** run on production systems
### Check exposure (read-only)
```bash
# Patched? (example β adjust for your distro)
uname -r
grep -r CVE-2026-43494 /usr/share/doc/linux* 2>/dev/null || true
# RDS available?
grep CONFIG_RDS /boot/config-$(uname -r) 2>/dev/null
lsmod | grep -E '^rds'
# io_uring enabled?
cat /proc/sys/kernel/io_uring_disabled # expect 0
```
---
## Build
```bash
gcc -O2 -Wall -Wextra -o sley sley.c
```
Static linking (optional, for minimal lab images):
```bash
gcc -O2 -static -o sley sley.c
```
---
## Usage
```bash
./sley
```
All status output goes to **stderr** (ANSI 256-color UI, progress bar, phased logging). Ensure your terminal supports **UTF-8** and **truecolor/256 colors** for the box-drawing UI.
Example phases:
```
PHASE 1 β Reconnaissance
PHASE 2 β Memory & io_uring setup
PHASE 3 β Pin reference theft (RDS zerocopy)
PHASE 4 β Page cache overwrite & privesc
```
### Expected result (vulnerable host)
On a successfully exploited configuration, the chain completes and hands off to the discovered SUID binary with an overwritten first page β yielding a **root shell** if the race and kernel state align.
On patched kernels, hardened hosts, or missing RDS/io_uring, the PoC will fail early (no SUID target, `mmap`/`io_uring`/`socket` errors, etc.).
---
## Mitigation
| Action | Notes |
|--------|-------|
| **Patch kernel** | Apply stable fix containing commit `e17492979319` |
| **Disable RDS** | `modprobe -r rds_tcp rds` (and block autoload) if not required |
| **Restrict io_uring** | `kernel.io_uring_disabled=1` or `2` via sysctl |
| **Least privilege** | Remove unnecessary SUID binaries; use containers with hardened profiles |
| **Monitor** | Alert on burst RDS zerocopy failures + io_uring buffer registration patterns |
Distro-specific security advisories may ship backported patches β track your vendorβs kernel security queue.
---
## Project layout
```
.
βββ README.md # This file
βββ proof-of-concept.jpg # Screenshot: successful LPE (uid 1000 β root)
βββ sley.c # Single-file PoC + terminal UI
βββ .gitignore
```
---
## References
- [NVD β CVE-2026-43494](https://nvd.nist.gov/vuln/detail/CVE-2026-43494)
- [oss-security β PinTheft discussion](https://www.openwall.com/lists/oss-security/2026/05/21/2)
- [Kernel fix commit](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e174929793195e0cd6a4adb0cad731b39f9019b4)
---
## Legal
This software is provided **as-is** for research and education. You are responsible for complying with applicable laws and obtaining written authorization before testing any system you do not own.
---
## License
MIT β see repository license file if added. Use responsibly.