PinTheft — A New Linux Kernel Privilege Escalation Flaw Puts Arch Linux Users at Immediate Risk
PinTheft — A New Linux Kernel Privilege Escalation Flaw Puts Arch Linux Users at Immediate Risk
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
PinTheft — A New Linux Kernel Privilege Escalation Flaw Puts Arch Linux Users at Immediate Risk
A new Linux kernel local privilege escalation (LPE) vulnerability, named PinTheft by its discoverers, went public this week alongside a fully working proof-of-concept exploit. The flaw allows any unprivileged local user on a susceptible system to gain a root shell — a complete system takeover — without requiring a race condition, making exploitation reliable and repeatable.
The vulnerability was discovered by Aaron Esau of the V12 Security team, who coordinated disclosure with the Linux kernel community. A candidate upstream fix was posted to the netdev kernel mailing list on May 5, 2026, and V12 released the PoC only after confirming the patch had landed upstream. As of publication, no CVE identifier has been assigned yet, and no NVD entry or CVSS score exists.
The Vulnerability: A Double-Free in the RDS Zero-Copy Path
The root cause lives in rds_message_zcopy_from_user(), a function within the Linux kernel’s
Reliable Datagram Sockets (RDS) subsystem that handles zero-copy data transmission. During a zerocopy send
operation, the function pins user-space memory pages into kernel space one page at a time. If a subsequent
page triggers a fault mid-operation, the kernel’s error handling path correctly drops the already-pinned
pages. However, the RDS message cleanup routine later drops those same pages a second time, because the
scatterlist entries and entry count remain live after the zerocopy notifier is cleared — a classic
double-free of page references.
Individually, a reference-counting error of this kind is difficult to turn into a reliable exploit.
PinTheft is notable precisely because it chains this subtle bug with a second subsystem —
io_uring — to transform it into a consistent, weaponizable primitive.
The Exploit Chain: From Double-Free to Root Shell
The exploit begins by registering an anonymous memory page as an io_uring fixed buffer,
which assigns the page a FOLL_PIN reference bias of 1,024 counts. The attacker then
initiates 1,024 deliberately failing RDS zerocopy sends, each of which “steals” one reference from
that pinned page. Once all references are exhausted, io_uring is left holding a dangling
pointer to memory it no longer legitimately owns.
With that dangling buffer pointer in hand, the exploit evicts the first page of a target SUID-root binary
from the page cache and waits to reclaim the same physical memory frame. Using io_uring‘s
stale pointer, it then overwrites the page cache of that privileged binary — preferred targets include
/usr/bin/su, /usr/bin/passwd, and /usr/bin/pkexec — with a
small custom ELF payload. Executing the modified binary yields a root shell.
This technique is what gives PinTheft its name: it systematically “steals” FOLL_PIN kernel
page references until the kernel’s own bookkeeping betrays it.
Who Is Affected?
The underlying bug in the RDS zerocopy path has existed since Linux kernel version 4.17
(2018), but the exploit chain requires modern io_uring features that did not exist at that
time. The released PoC targets x86_64 architecture, though the technique itself is
not architecturally constrained.
Exploitation requires all four of the following conditions to be true on the target system:
io_uring must be enabled
su, passwd)
The most significant limiting factor is the RDS module. V12 confirmed that among commonly tested distributions, only Arch Linux loads the RDS module by default. Other major distributions — including Ubuntu, Debian, Fedora, RHEL, AlmaLinux, Rocky Linux, CentOS Stream, and Oracle UEK — either block the module from autoloading or do not build it at all, substantially limiting the real-world attack surface.
Patch and Mitigation Guidance
A kernel fix is already available upstream. Downstream distribution maintainers are in the process of integrating it. Arch Linux users should update their kernels immediately. For systems that cannot be patched right away, the following mitigations apply:
Recommended Mitigations
-
Block the RDS module from loading. Add the following to
/etc/modprobe.d/pintheft.conf:install rds /bin/false
install rds_tcp /bin/false -
If the module is already loaded, unload it with:
rmmod rds_tcp rds - On hosts that had untrusted local users during the exposure window, treat SSH host keys and locally cached credentials as potentially compromised. Rotate host keys and review any administrative material that lived in memory of set-uid processes.
- Post-testing warning: Because PinTheft overwrites in-memory page cache, any test machine left in an exploited state will trigger the payload for any user who subsequently runs a patched SUID binary. Flush the cache or reboot immediately after any experimentation.
Part of a Broader 2026 Linux LPE Wave
PinTheft is the latest in a rapidly growing series of Linux kernel local privilege escalation vulnerabilities disclosed in early 2026, all sharing the broad technique of page-cache overwrite exploits. Threat actors have already been observed actively exploiting the earlier Copy Fail vulnerability in the wild.
| Name | Disclosed | CVE | Scope |
|---|---|---|---|
| Copy Fail | April 29, 2026 | CVE-2026-31431 | Most major distros; actively exploited in the wild |
| Dirty Frag | May 7, 2026 | — | Linux kernel networking subsystem |
| Fragnesia | May 13, 2026 | — | Linux kernel networking subsystem |
| DirtyDecrypt / DirtyCBC | ~May 17–19, 2026 | CVE-2026-31635 | CONFIG_RXGK systems; PoC released |
| CVE-2026-46333 | May 2026 | CVE-2026-46333 | Debian, Fedora, Ubuntu; 9-year-old ptrace flaw |
| PinTheft | May 20, 2026 | Pending | Arch Linux (default); others if RDS loaded |
The frequency and sophistication of these disclosures have prompted renewed scrutiny of the Linux kernel’s networking and asynchronous I/O subsystems. Each new PoC in the series raises the question of how many similar bugs remain undiscovered in these complex, rarely audited code paths. Security teams are urged to treat kernel hygiene — prompt patching, module allowlisting, and privilege minimization — as a first-line defense rather than a periodic maintenance task.
Timeline
For Arch Linux users and any administrators who may have non-default RDS module loading configured, this vulnerability demands immediate action. The combination of a reliable exploit, a public PoC, and no CVE assignment yet — meaning automated vulnerability scanners may not flag it — creates a window of elevated risk that should not be left open.
