Full Report
PinTheft, a recently patched Linux privilege escalation vulnerability, now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems. [...]
Analysis Summary
# Vulnerability: PinTheft Local Privilege Escalation
## CVE Details
- **CVE ID:** Pending (Assigned/Tracked by researchers as "PinTheft")
- **CVSS Score:** N/A (Severity presumed High/Critical for LPE)
- **CWE:** CWE-415 (Double Free), CWE-911 (Improper Reference Counting)
## Affected Systems
- **Products:** Linux Kernel
- **Versions:** Vulnerable prior to the patch released on May 5, 2026.
- **Configurations:**
- RDS (Reliable Datagram Sockets) module must be loaded/enabled (Default on **Arch Linux**).
- `io_uring` Linux I/O API must be enabled.
- System must have a readable SUID-root binary available.
- Specifically targets x86_64 architecture in current PoC.
## Vulnerability Description
PinTheft is a local privilege escalation (LPE) flaw originating from a double-free vulnerability in the Linux kernel’s RDS zerocopy implementation. The flaw exists specifically within the `rds_message_zcopy_from_user()` function. When pinning user pages, if a page fault occurs, the error handling path incorrectly drops references to pages already pinned. Because the scatterlist entries remain live after the notifier is cleared, a subsequent cleanup process drops the references a second time.
By repeatedly triggering this failed zerocopy send, an attacker "steals" `FOLL_PIN` references. This reference count corruption allows the attacker to manipulate `io_uring` fixed buffers to gain a page-cache overwrite, eventually leading to root shell execution.
## Exploitation
- **Status:** PoC available (Publicly released by V12 security team).
- **Complexity:** Medium (Requires specific kernel modules and environmental conditions).
- **Attack Vector:** Local.
## Impact
- **Confidentiality:** High (Full system access/Root privileges).
- **Integrity:** High (Ability to overwrite page-cache and system binaries).
- **Availability:** High (Potential for system instability or intentional crash).
## Remediation
### Patches
- Users should update to the latest Linux kernel versions released after **May 5, 2026**.
- Specifically, the upstream patch authored by `[email protected]` addresses the RDS zerocopy send path logic.
### Workarounds
If patching is not immediately possible, disable the RDS kernel modules to close the attack vector:
bash
rmmod rds_tcp rds
printf 'install rds /bin/false\ninstall rds_tcp /bin/false\n' > /etc/modprobe.d/pintheft.conf
## Detection
- **Indicators of Compromise:** Unusual activity involving `io_uring` or RDS socket system calls; unexpected modification of SUID-root binaries or system page caches.
- **Detection Methods:** Audit logs for loading of the `rds` or `rds_tcp` modules on systems where they are not required. Use tools like `lsmod | grep rds` to check for module presence.
## References
- V12 Security PoC Repository: hxxps[://]github[.]com/v12-security/pocs/tree/main/pintheft
- Kernel Patch Submission: hxxps[://]lore[.]kernel[.]org/netdev/20260505234336.2132721-1-achender@kernel[.]org/
- Original Report: hxxps[://]www[.]bleepingcomputer[.]com/news/linux/exploit-released-for-new-pintheft-arch-linux-root-escalation-flaw/