PinTheft: New Linux LPE Exploit Grants Root Access via RDS Zerocopy Bug
A newly disclosed Linux Local Privilege Escalation (LPE) vulnerability, dubbed PinTheft, allows local attackers to gain root access by exploiting a double-free flaw in the Reliable Datagram Sockets (RDS) zerocopy send path. Discovered by Aaron Esau of the V12 security team, the vulnerability (CVE pending) was made public alongside a proof-of-concept (PoC) exploit after a kernel patch was released.
The flaw resides in the rds_message_zcopy_from_user() function, which pins user pages during execution. If a page fault occurs, the error path drops already-pinned pages but a cleanup oversight causes these pages to be freed a second time, creating a double-free condition. Attackers can weaponize this by systematically stealing references from a pinned page using io_uring, ultimately hijacking a page cache entry to overwrite a SUID-root binary (e.g., /usr/bin/su or /usr/bin/passwd) with a malicious payload.
The PoC exploit follows a precise sequence: mapping pages, registering a fixed buffer with io_uring, and executing 1,024 failing RDS zerocopy sends to drain references. Once the target page is reallocated, the exploit uses IORING_OP_READ_FIXED to inject an ELF payload, granting root access upon execution. While the primitive is architecture-agnostic, the provided PoC targets x86_64 systems.
Exploitation requires specific kernel configurations: CONFIG_RDS, CONFIG_RDS_TCP, and CONFIG_IO_URING must be enabled, with io_uring_disabled=0. Module autoloading for TCP transport is also necessary. Among major distributions, only Arch Linux enables the RDS module by default, though other systems may be vulnerable if manually configured.
Administrators can mitigate the risk by applying kernel patches or blacklisting the vulnerable modules (rds and rds_tcp) via:
printf 'install rds /bin/false\ninstall rds_tcp /bin/false\n' > /etc/modprobe.d/pintheft.conf
Active modules should be removed with rmmod rds_tcp rds. Researchers caution that running the exploit alters in-memory page caches of SUID binaries, requiring a reboot or cache drop to clear modifications.
PinTheft joins a recent wave of Linux kernel LPE disclosures, including DirtyDecrypt and DirtyCBC, reflecting ongoing challenges in securing complex networking and asynchronous I/O subsystems. The trend mirrors past high-profile flaws like Dirty Frag and Copy Fail, underscoring persistent memory-corruption risks in core Linux components.
Source: https://cybersecuritynews.com/pintheft-linux-vulnerability/
Linux TPRM report: https://www.rankiteo.com/company/the-linux-foundation
"id": "the1779301477",
"linkid": "the-linux-foundation",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Linux-based systems'}],
'attack_vector': 'Local exploitation of a double-free vulnerability in the '
"Linux kernel's RDS zerocopy send path",
'description': 'A newly disclosed Linux Local Privilege Escalation (LPE) '
'vulnerability, dubbed *PinTheft*, allows local attackers to '
'gain root access by exploiting a double-free flaw in the '
'Reliable Datagram Sockets (RDS) zerocopy send path. The flaw '
'resides in the `rds_message_zcopy_from_user()` function, '
'which pins user pages during execution. If a page fault '
'occurs, the error path drops already-pinned pages but a '
'cleanup oversight causes these pages to be freed a second '
'time, creating a double-free condition. Attackers can '
'weaponize this by systematically stealing references from a '
'pinned page using `io_uring`, ultimately hijacking a page '
'cache entry to overwrite a SUID-root binary with a malicious '
'payload.',
'impact': {'operational_impact': 'Unauthorized root access, potential system '
'compromise',
'systems_affected': 'Linux systems with `CONFIG_RDS`, '
'`CONFIG_RDS_TCP`, and `CONFIG_IO_URING` '
'enabled'},
'lessons_learned': 'Ongoing challenges in securing complex networking and '
'asynchronous I/O subsystems in the Linux kernel, '
'highlighting persistent memory-corruption risks in core '
'components.',
'post_incident_analysis': {'corrective_actions': 'Kernel patch to fix the '
'double-free condition, '
'module blacklisting, and '
'removal of vulnerable '
'modules',
'root_causes': 'Double-free flaw in the '
'`rds_message_zcopy_from_user()` '
'function due to cleanup oversight '
'in error path handling'},
'recommendations': ['Apply kernel patches immediately',
'Blacklist vulnerable modules (`rds` and `rds_tcp`) via '
'`/etc/modprobe.d/pintheft.conf`',
'Remove active modules with `rmmod rds_tcp rds`',
'Reboot or drop page caches to clear modifications to '
'SUID binaries'],
'references': [{'source': 'V12 Security Team (Aaron Esau)'}],
'response': {'containment_measures': 'Apply kernel patches or blacklist '
'vulnerable modules (`rds` and '
'`rds_tcp`)',
'remediation_measures': 'Remove active modules with `rmmod '
'rds_tcp rds` and reboot or drop page '
'caches to clear modifications'},
'title': 'PinTheft: New Linux LPE Exploit Grants Root Access via RDS Zerocopy '
'Bug',
'type': 'Local Privilege Escalation (LPE)',
'vulnerability_exploited': 'Double-free flaw in '
'`rds_message_zcopy_from_user()` function (CVE '
'pending)'}