Vulnerability Analysis on KnightLi Blog

CVE-2026-43494 / PinTheft: Local Privilege Escalation Risk from Linux RDS and io_uring

Fri, 22 May 2026 15:16:59 +0800

CVE-2026-43494 is a Linux kernel local privilege escalation risk. The related exploitation chain is also known publicly as PinTheft. The key point is not a remote entry point, but whether a low-privilege local user can line up RDS zerocopy, io_uring fixed buffers, a readable SUID-root program, and a suitable kernel version.

One naming detail is worth clarifying first: the Unclecheng-li/poc-lab repository directory is named CVE-2026-43494 PinTheft, while the README title also mentions QVD-2026-27616 - PinTheft. Based on public CVE entries and third-party advisories, CVE-2026-43494 points to a Linux kernel RDS zerocopy issue where op_nents is not reset correctly, leading to a double-free / reference-counting anomaly. QVD-2026-27616 appears more like a Qianxin risk advisory identifier. In real triage, record both identifiers, but treat distribution security advisories and kernel patch status as the source of truth.

What Is the Core Bug?

The issue appears in the zerocopy send path of Linux RDS, Reliable Datagram Sockets. Public descriptions point to these key functions:

1
2

rds_message_zcopy_from_user()
rds_message_purge()

When iov_iter_get_pages2() fails inside rds_message_zcopy_from_user(), pages that have already been pinned can be released by the error path, but the related op_nents state is not cleared correctly. Later, rds_message_purge() may still release the residual entries again. The result is that the same batch of page references can be decremented too many times, creating an exploitable reference-counting error.

Viewed alone, the RDS bug is an error-path memory-management issue inside the kernel. PinTheft becomes dangerous because the exploitation chain connects it with the io_uring fixed-buffer mechanism: io_uring still keeps an old struct page *, while the page itself has already been freed and reallocated for another purpose. The public PoC then steers this state toward overwriting the page cache of a SUID-root program, eventually reaching local privilege escalation.

Why It Is Called PinTheft

io_uring REGISTER_BUFFERS pins user pages. For normal pages, FOLL_PIN is not just a simple reference increment; it raises the page refcount through a larger bias. The public PoC uses the concept of GUP_PIN_COUNTING_BIAS = 1024.

The name PinTheft means the attack chain repeatedly “steals” those pin references through the RDS zerocopy failure path. After the references are drained, io_uring still believes it holds a valid page, but that physical page can now be freed and reused by the page cache.

This class of vulnerability is easy to misread as “directly modifying /usr/bin/su on disk.” A more accurate description is that the exploitation chain tries to overwrite the in-memory page cache. The file itself may not be written back to disk, but when the kernel executes the SUID program, it may fetch instructions from the contaminated page cache and run the attack payload.

The Trigger Conditions Are Not Broad

This is not a vulnerability where “any Linux server can be remotely hit.” Public information indicates that the exploitation chain depends on at least these conditions:

The kernel has CONFIG_RDS and CONFIG_RDS_TCP enabled.
The system has CONFIG_IO_URING enabled, and kernel.io_uring_disabled=0.
The rds / rds_tcp modules are already loaded, or a low-privilege user can trigger autoloading.
A readable SUID-root binary exists locally, such as /usr/bin/su, /usr/bin/passwd, or /usr/bin/pkexec.
The public PoC also depends on the newer IORING_REGISTER_CLONE_BUFFERS API. CloudLinux analysis notes that the public PoC is more aligned with kernel 6.13 and later.

If any one of these links is missing, the public exploitation path breaks. For example, many RHEL-family distributions do not compile RDS by default, older Ubuntu kernels may lack the io_uring clone-buffer API needed by the PoC, and some environments restrict automatic RDS module loading by unprivileged users.

One-Minute Self-Check

First, check the kernel configuration:

1
2

zgrep -E "CONFIG_(RDS|RDS_TCP|IO_URING)" /proc/config.gz 2>/dev/null \
  || grep -E "CONFIG_(RDS|RDS_TCP|IO_URING)" /boot/config-$(uname -r)

Then check whether io_uring is disabled:

`1`	`cat /proc/sys/kernel/io_uring_disabled 2>/dev/null`

Interpret the common values like this:

0: allowed, giving the largest exposure.
1: restricted for unprivileged users; exact behavior depends on kernel version and distribution policy.
2: io_uring disabled.

Check whether the RDS modules exist and can be loaded:

1
2

lsmod | grep -E "^rds|^rds_tcp"
modprobe -n -v rds_tcp 2>&1 | head -3

If CONFIG_RDS is not set, or the system has no rds_tcp module at all, this bug usually cannot be reached. Conversely, if RDS is available, io_uring is not disabled, and the system uses a relatively new general-purpose kernel, continue checking distribution fix status with higher priority.

Which Machines Deserve Priority

Prioritize these environments:

Multi-user Linux hosts, teaching machines, jump hosts, and shared development machines.
Container hosts, especially environments that allow untrusted local users or have a loose container escape surface.
Desktops or servers running newer mainline / rolling kernels, such as Arch-like rolling distributions.
HPC, Oracle RAC, or other scenarios that may genuinely use RDS.
CI workers, build machines, and lab environments that allow unprivileged users to run large amounts of local code.

For an ordinary web server where only controlled service accounts run applications and RDS is not enabled, the practical risk is much lower. But “much lower” does not mean “ignore it”: the typical impact of a kernel local privilege escalation is that an attacker first gains low-privilege access through Web, SSH, CI, containers, or an application bug, then uses the local bug to expand control.

Temporary Mitigation Ideas

The proper fix should still come from the distribution kernel update. Patch status, backported versions, and affected ranges must be checked against advisories from Debian, Ubuntu, RHEL, AlmaLinux, Rocky Linux, SUSE, Arch, cloud vendors, or container base-image providers. Do not judge only by the upstream version number.

While waiting for patches, or when an immediate kernel reboot is not possible, choose temporary measures according to the environment:

# If the business does not depend on RDS, block related module loading
sudo sh -c "printf 'install rds /bin/false\ninstall rds_tcp /bin/false\ninstall rds_rdma /bin/false\n' > /etc/modprobe.d/pintheft.conf"
sudo rmmod rds_tcp 2>/dev/null
sudo rmmod rds_rdma 2>/dev/null
sudo rmmod rds 2>/dev/null

If the business does not depend on io_uring, consider disabling or restricting it:

`1`	`sudo sysctl -w kernel.io_uring_disabled=2`

Persistent configuration needs to be written into the appropriate /etc/sysctl.d/*.conf file. Be careful with this step: modern databases, proxies, runtimes, or high-performance I/O programs may use io_uring. Confirm business dependencies before changing production systems.

How to Verify After Fixing

After upgrading the kernel, do not rely only on package-manager success output. Confirm three things:

1
2
3

uname -a
cat /proc/sys/kernel/io_uring_disabled 2>/dev/null
modprobe -n -v rds_tcp 2>&1 | head -3

If a distribution advisory explicitly says CVE-2026-43494 is fixed, the kernel may still be protected even when uname -r does not look like the newest upstream release, because the stable distribution kernel may have received a backported patch. Conversely, if the kernel comes from a self-built tree, third-party repository, cloud marketplace image, or container host template, continue checking the patch commit and build time.

References

How to Check CVE-2026-42945: Nginx Rift Trigger Conditions, Version Checks, and Upgrade Advice

Fri, 15 May 2026 17:55:42 +0800

CVE-2026-42945 is a security vulnerability in NGINX Open Source and NGINX Plus. It is also being referred to as Nginx Rift. The issue is in ngx_http_rewrite_module, and the vulnerability type is heap-based buffer overflow.

News like this is easy to turn into headlines such as “hidden for 18 years”, “remote control without a password”, or “30% of servers affected”. Those claims travel well, but when reading the patch notes and NVD description, it is better to separate the risk into concrete pieces: the issue is serious, and it does not require a logged-in account; but not every Nginx instance is automatically compromised. Triggering it requires specific rewrite configuration and request conditions.

Start with the official description

The NVD description of CVE-2026-42945 can be summarized as follows:

It affects NGINX Plus and NGINX Open Source.
The vulnerability is in ngx_http_rewrite_module.
The issue may be triggered when a rewrite directive is followed by a rewrite, if, or set directive, unnamed PCRE capture groups such as $1 and $2 are used, and the replacement string contains a question mark ?.
An unauthenticated attacker can send a crafted request to trigger the vulnerability.
The result may be a heap buffer overflow and restart of an NGINX worker process.
If ASLR is disabled on the system, code execution is possible.

F5, as the CNA, gives the following scores:

CVSS v4.0: 9.2, Critical.
CVSS v3.1: 8.1, High.
CWE: CWE-122 Heap-based Buffer Overflow.

So this is not a routine “bad config causes a 404” issue. It is a memory safety vulnerability covered by an official Nginx security fix.

Which claims need context

First, “no password required” is best understood as unauthenticated attack. In other words, the attacker does not need to log in to an Nginx admin panel, obtain SSH access, or hold an application account. But that does not mean every public-facing Nginx instance can be casually taken over.

Second, “direct remote control” depends on conditions. The more careful official framing is that the vulnerability can cause worker process restarts; on systems where ASLR is disabled, code execution is a possible outcome. On environments with ASLR enabled, proper distribution hardening, and restricted runtime privileges, the exploitation path becomes more complex.

Third, “30% of servers affected” should not be treated as “all Nginx market share equals exposed attack surface”. Real exposure depends on the version, whether the affected module is present, whether the specific rewrite configuration exists, whether the distribution has already backported the patch, and how hardened the Nginx runtime environment is.

The more accurate approach is simple: if you run Nginx in production, check it quickly; but do not decide whether you are affected based only on a headline percentage.

How to determine the affected scope

According to nginx.org release information, the nginx-1.30.1 stable release and nginx-1.31.0 mainline release published on May 13, 2026 include multiple security fixes, including the ngx_http_rewrite_module buffer overflow tracked as CVE-2026-42945.

If you use official Nginx source builds or official packages, focus on:

NGINX Open Source stable: upgrade to 1.30.1 or later.
NGINX Open Source mainline: upgrade to 1.31.0 or later.
NGINX Plus: check the fixed version for your F5-supported branch.

If you use Debian, Ubuntu, RHEL, AlmaLinux, Rocky Linux, Alpine, container images, Plesk, control panels, Ingress Controller, or cloud-provider managed components, do not rely only on the upstream version shown by nginx -v. Many distributions backport security fixes into older package versions. The version string may look old while the patch is already included.

One-minute urgency check

Use these questions for a quick risk tiering:

Is this Nginx instance directly exposed to the internet, or is it part of an API Gateway, reverse proxy, load balancer, or Ingress entry layer?
Are you using official Nginx packages, source builds, third-party control panels, or container images without having confirmed the CVE-2026-42945 fix status?
Does the configuration contain complex rewrite rules, especially consecutive rewrite, if, or set directives and unnamed captures such as $1 and $2?
Does any rewrite target include request paths, query parameters, or other user-controlled input?
Is the system weakly hardened, for example with ASLR disabled, overly privileged workers, or overly broad container permissions?

If the first two items apply and rewrite configuration has not yet been reviewed, treat it as high priority. Public entry points, shared environments, Kubernetes Ingress, edge proxies, and Nginx instances carrying login or API traffic should be upgraded or replaced with a confirmed fixed package first.

How to confirm fixes on Debian / Ubuntu / RHEL / Alpine

Distribution users should not look only at nginx -v. Debian, Ubuntu, RHEL, AlmaLinux, Rocky Linux, and Alpine often backport security patches into stable branches, so the visible version may still be lower than nginx.org’s 1.30.1 or 1.31.0.

On Debian / Ubuntu, check security advisories, package changelog, and upgrade candidates:

nginx -v
nginx -V
apt list --upgradable | grep nginx
apt changelog nginx | grep -i "CVE-2026-42945"

On RHEL / AlmaLinux / Rocky Linux, check security updates and package changelog:

1
2

yum updateinfo list security | grep -i nginx
rpm -q --changelog nginx | grep -i "CVE-2026-42945"

On Alpine, check the installed package version and security branch updates:

1
2

apk info -v nginx
apk version -v nginx

If the package manager, distribution security advisory, or vendor advisory explicitly says CVE-2026-42945 is fixed, you can treat it as backported even if the upstream version number looks old. Conversely, if the version looks new but the source is unclear, still confirm the build date and patch source.

How to check container images and Ingress Controller

In container environments, check the Nginx inside the image, not only the host. First confirm the actual embedded version:

1
2

docker run --rm your-nginx-image nginx -v
docker run --rm your-nginx-image nginx -V

Also check whether the base image has been updated. If the image is built on Debian, Ubuntu, Alpine, or distribution packages, apply the same advisory and changelog checks for that distribution. Restarting an old image is not useful; the image itself needs to be rebuilt or replaced.

For Kubernetes Ingress, confirm three things:

Whether the Ingress Controller project has published an advisory or fixed release for CVE-2026-42945.
Whether the running controller image digest has actually changed, rather than only the tag.
Whether the controller’s embedded Nginx version, build flags, and template configuration still contain high-risk rewrite rules.

Start by checking the running image:

1
2

kubectl -n ingress-nginx get pods -o wide
kubectl -n ingress-nginx describe pod <pod-name> | grep -i image

If you use a cloud-provider managed Ingress or gateway, check the corresponding cloud service advisory. Managed components usually cannot be fixed by running apt upgrade yourself; you need the provider’s fix or a switch to a fixed version.

Which rewrite patterns deserve attention

This vulnerability is related to rewrite configuration. Start by searching Nginx configuration:

1
2

grep -R "rewrite" /etc/nginx -n
grep -R "\\$[0-9]" /etc/nginx -n

Pay attention to patterns like:

`1`	`rewrite ^/old/(.*)$ /new/$1? permanent;`

The unnamed captures such as $1 and $2, plus the ? in the replacement target, are among the key conditions described by the official sources. During review, pay special attention to:

A rewrite followed by another rewrite, if, or set.
Broad captures such as (.*) and (.+) that are reused as $1 or $2.
Rewrite targets containing ? to append or discard query parameters.
Rewrite input coming from public paths, Host, URI, parameters, or upstream-controlled values.
Rewrite rules generated by panels, gateways, Ingress annotations, or templates.

If you cannot upgrade immediately, use temporary mitigations:

Reduce complex rewrite rules.
Replace unnamed captures with clearer named captures.
Avoid unnecessary ? concatenation in replacement strings.
Add WAF or reverse-proxy rules for high-risk entry points.
Confirm that ASLR is enabled.
Reduce Nginx worker privileges and verify systemd sandboxing, SELinux/AppArmor, and related hardening.

These measures are mitigations, not replacements for patching.

Remediation priority

Prioritize by exposure:

Public-facing Nginx entry points.
Reverse proxies, API Gateway, and edge gateways.
Nginx in multi-tenant environments.
Kubernetes Ingress Controller.
Plesk, control panels, marketplace images, and other components that bundle Nginx.
Internal Nginx instances that carry critical business traffic.

How to verify after upgrading: nginx -t, reload, and worker state

After updating, do not stop at “the package manager succeeded”. Confirm the configuration, process state, and actual binary have all switched over. First validate the configuration:

`1`	`nginx -t`

If there are no errors, reload smoothly:

`1`	`systemctl reload nginx`

If the package upgrade replaced the binary, confirm old workers have exited:

`1`	`ps aux \| grep nginx`

You can also inspect the master process start time and binary path to ensure the running service is not an old process still resident in memory. If needed, schedule a maintenance window and restart the service so old workers or old containers do not continue handling requests.

For containers and Ingress, also confirm the new image rollout has actually completed:

1
2

kubectl -n ingress-nginx rollout status deployment/<deployment-name>
kubectl -n ingress-nginx get pods -o wide

The key verification question is not “did the command run”, but “is live traffic now handled by Nginx processes that include the fix”.

Do not ignore the same Nginx security batch

The 1.30.1 and 1.31.0 releases published by nginx.org on the same day fixed more than CVE-2026-42945. The release information also mentions HTTP/2 request injection, SCGI/uWSGI buffer overread, charset module buffer overread, HTTP/3 address spoofing, OCSP resolver use-after-free, and other issues.

That means production environments should not only add a temporary rule for a single CVE. Treat this Nginx security release as an overall upgrade.

Summary

The key point of CVE-2026-42945 is not “all Nginx instances can be instantly taken over”. It is a long-standing memory safety vulnerability in the rewrite module that can be triggered by unauthenticated requests under specific configurations. The most direct result is worker crash and restart; on weaker environments such as systems with ASLR disabled, code execution risk is higher.

For operations teams, the handling order is straightforward:

Confirm the Nginx source and version.
Check distribution, F5, nginx.org, or cloud-provider advisories.
Upgrade to a fixed version or distribution security package as soon as possible.
Review complex rewrite configuration, especially combinations of $1, $2, and ?.
Confirm ASLR, privilege isolation, and service reload state.

The headline can be scary. The fix should be calm: confirm exposure, upgrade, then clean up high-risk rewrite rules.

References

Copy Fail CVE-2026-31431: Container Escape Risk in the Linux Kernel File-Copy Path

Fri, 01 May 2026 18:42:34 +0800

Copy Fail is a vulnerability in the Linux kernel file-copy path, tracked as CVE-2026-31431. Bugcrowd’s analysis describes it as a kernel-level issue worth attention: under specific conditions, an unprivileged user can abuse file-copy logic to trigger unauthorized writes, leading to privilege escalation or container escape.

From a risk perspective, this is not a normal application-layer vulnerability. The issue happens in the kernel path that handles file copying and page cache behavior, so its impact can extend to containers, shared hosts, CI/CD runners, PaaS platforms, and multi-tenant Linux environments. If an attacker can already run low-privileged code on a system, the vulnerability may become a stepping stone for breaking through isolation boundaries.

Where the Vulnerability Roughly Lives

Copy Fail is related to Linux kernel file-copy capabilities. Modern Linux provides several efficient copy paths, such as copy_file_range, splice-like paths, and data-copy optimizations across different file systems. These mechanisms are designed to reduce data movement between user space and kernel space and improve large-file copy performance.

The problem is that high-performance copy paths often reuse page cache, file offsets, permission checks, and file-system callbacks. If a boundary condition is not handled strictly enough, the kernel may perform a write in the wrong permission context, or expose data pages that should not be controlled by the attacker.

The core risk of Copy Fail can be summarized as:

the attacker does not need root privileges;
the attack entry point comes from common file-copy capabilities;
the affected logic runs in kernel space;
in container environments, the vulnerability may bypass namespace and mount isolation;
successful exploitation may write to host content that the container should not be able to modify.

That is why it has drawn attention. Container security depends on isolation provided by the Linux kernel. Once a kernel path itself allows unauthorized writes, the container boundary becomes fragile.

Why Container Scenarios Are More Sensitive

Containers are not virtual machines. Processes inside a container share the same Linux kernel with the host and are isolated through mechanisms such as namespaces, cgroups, capabilities, seccomp, and AppArmor/SELinux.

If a vulnerability exists in a user-space service, it usually affects only one container or one process. But if the vulnerability is in the kernel, especially one that can be triggered by an unprivileged user, an attacker may influence the host from inside a container.

That is where Copy Fail becomes dangerous. Many platforms allow users to submit build jobs, run scripts, start containers, or execute plugins. As long as an attacker can run code inside a container, they may try to use the kernel file-copy path to break isolation.

High-risk environments include:

untrusted workloads in Kubernetes clusters;
shared runners on CI/CD platforms;
sandbox platforms that allow users to upload and execute code;
multi-tenant Linux hosts;
containerized PaaS environments;
systems that run third-party plugins or extensions.

If these environments are running affected kernels and lack extra restrictions, the risk rises significantly.

Impact Depends on Kernel Patch Status

You cannot judge this kind of vulnerability only by distribution name. For the same Ubuntu, Debian, RHEL, Fedora, or Arch version, exposure depends on the kernel package that is actually running and whether the distribution has backported the fix.

During triage, prioritize three checks:

The currently running kernel version.
Whether the distribution security advisory mentions CVE-2026-31431.
Whether the cloud provider or managed platform has patched the host kernel.

You can first confirm the kernel version on the system:

`1`	`uname -a`

Then check distribution security advisories, kernel changelogs, or cloud platform notices. Do not judge safety only from the major version, because many enterprise distributions backport security fixes to older kernel branches.

Temporary Mitigation Ideas

The most reliable fix is still to update the kernel. But in environments where patches cannot be deployed immediately, you can reduce exposure first.

Common mitigation directions include:

disallow untrusted users from running privileged containers;
avoid mounting sensitive host paths into containers;
tighten container capabilities, especially avoiding unnecessary CAP_SYS_ADMIN;
use seccomp, AppArmor, or SELinux to restrict dangerous system calls and file access;
move untrusted workloads to stronger virtual-machine isolation;
destroy CI/CD runners per job instead of reusing the same host for a long time;
monitor abnormal file writes, permission changes, and signs of container escape.

These measures do not replace patches. Their role is to reduce exploitation success rate and impact, especially before patches reach production systems.

Patching Priority

Prioritize remediation by environment risk.

Patch first:

platforms that expose container execution to external users;
CI/CD nodes that run untrusted code;
multi-tenant Kubernetes nodes;
systems with user-defined plugins or script execution;
shared development machines, teaching machines, and lab platforms.

Relatively lower priority:

single-user desktops;
internal hosts that only run trusted services;
environments that already isolate untrusted code with virtual machines.

Even when risk is lower, it is still best to update the kernel through the distribution. Kernel vulnerabilities are often chained into more complex attacks, and delaying patches rarely provides much benefit.

Checklist for Operations Teams

You can process it in this order:

Inventory all Linux hosts and container nodes.
Mark machines that run untrusted code.
Check the current kernel version and distribution security advisories.
Update high-risk nodes first.
Apply temporary isolation policies to nodes that cannot be updated immediately.
Review container runtime configuration and remove unnecessary privileges and host mounts.
Reboot nodes after updating and confirm that the new kernel is actually running.
Keep change records for later audit.

Installing a kernel package does not mean the system is already running the new kernel. You must reboot after updating and confirm again:

`1`	`uname -a`

Summary

The key point of Copy Fail / CVE-2026-31431 is not that an application crashes, but that there is a permission-boundary issue in the Linux kernel file-copy path. It gives unprivileged code a chance to touch higher-privilege data-write paths, so it deserves special attention in container and multi-tenant environments.

When handling this type of vulnerability, the two most important actions are:

follow kernel patches from your distribution or cloud provider as soon as possible;
before patches are deployed, restrict untrusted code, privileged containers, and sensitive host mounts.

For personal desktops, it may not be an immediate panic issue. But for teams running container platforms, CI/CD, sandboxes, and shared hosts, it should be treated as a high-priority kernel security update.

References: