PinTheft Linux Vulnerability Let Attackers Gain Root Access – PoC Released

HomeCyber Security News PinTheft Linux Vulnerability Let Attackers Gain Root Access – PoC Released By Guru Baran May 20, 2026 A proof-of-concept (PoC) exploit was published for a new Linux Local Privilege Escalation (LPE) vulnerability dubbed “PinTheft.” Discovered by Aaron Esau of the V12 security team, the flaw allows local attackers to gain root access by exploiting an RDS zerocopy double-free bug. A kernel patch is currently available, prompting the researchers to release their PoC code to the public. PinTheft joins a growing list of recently disclosed Linux kernel vulnerabilities, underscoring the ongoing security challenges within complex kernel networking and asynchronous I/O subsystems. The vulnerability resides within the Reliable Datagram Sockets (RDS) zerocopy send path. Specifically, the function rds_message_zcopy_from_user() pins user pages one at a time during execution. If a subsequent page faults, the error path drops the pages it already pinned. A critical flaw emerges during later RDS message cleanup, which drops these pages a second time because the scatterlist entries and entry count remain active after the zcopy notifier clears. This double-free condition allows each failed zerocopy send to steal exactly one reference from the first page. To weaponize this reference count bug, the PinTheft exploit leverages io_uring. The attacker registers an anonymous page as a fixed buffer, assigning the page a FOLL_PIN bias of 1024 references. The exploit then systematically steals these references through failing RDS zerocopy sends until io_uring is left holding a stolen page pointer. This unique methodology of stealing FOLL_PIN references is what gives the exploit its name. PinTheft Linux Vulnerability Exploit The PoC repository provides a highly structured exploitation sequence to achieve root access while attempting to prevent permanent system corruption. The attack execution follows a precise chain of events: Target selection locates a readable SUID-root binary, prioritizing executables like /usr/bin/su, /usr/bin/mount, or /usr/bin/passwd. A safety backup of the on-disk binary is created before exploitation to allow for manual restoration. Page setup maps two pages and marks the second with PROT_NONE so a two-page RDS zcopy send will predictably fault. Fixed-buffer registration pins the target page using IORING_REGISTER_BUFFERS, adding 1024 references. A daemon child holds a cloned fixed buffer open, preventing io_buffer_unmap() from corrupting reclaimed pages later. Reference theft occurs as the exploit executes 1024 failing RDS zerocopy sends, double-dropping the first page during error cleanup. Page-cache reclaim evicts the SUID binary’s first page, reallocating it immediately so the stale io_uring fixed-buffer entry points to a live page cache. A dangling fixed-buffer write uses IORING_OP_READ_FIXED to overwrite the cache with a small malicious ELF payload, granting a root shell upon execution. While the exploitation primitive is architecture-independent, the embedded shell ELF provided in the PoC is specifically compiled for x86_64 environments. The vulnerability requires a specific kernel configuration to trigger successfully. PinTheft Linux Vulnerability (Source: V12 research team ) CONFIG_RDS and CONFIG_RDS_TCP must be enabled. CONFIG_IO_URING must be active with io_uring_disabled=0. The system must allow module autoloading to request TCP transport. Default exposure is somewhat limited across major distributions. According to the V12 research team, the required RDS kernel module is only enabled by default on Arch Linux among the common distributions tested. Furthermore, researchers warn that running the exploit alters the in-memory page cache of critical SUID binaries. Rebooting or dropping caches will clear the memory overwrite, but testers on disposable machines must be careful not to leave systems in a state where common programs execute the payload unexpectedly. Administrators are strongly advised to apply the latest kernel patches from their distribution maintainers. For systems where patching is immediately unfeasible or RDS is unnecessary, administrators can mitigate the threat by entirely blacklisting the vulnerable modules. Executing the following command prevents the RDS modules from loading upon boot: printf 'install rds /bin/false\ninstall rds_tcp /bin/false\n' > /etc/modprobe.d/pintheft.conf Administrators should also immediately remove active modules from running systems using rmmod rds_tcp rds. The release of the PinTheft PoC coincides with a surge in Linux kernel exploit disclosures. Recently, security researchers released PoC exploits targeting other patched Linux LPEs, tracked as DirtyDecrypt and DirtyCBC. These vulnerabilities share conceptual similarities with previous high-profile root-escalation flaws such as Dirty Frag, Fragnesia, and Copy Fail, highlighting an ongoing trend of attackers and researchers discovering complex memory-corruption primitives in core Linux systems. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Windows DNS Client Vulnerability Enables Remote Code Execution Attacks Hackers Abuse Legitimate HWMonitor Binary to Load Malicious DLL Payload Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain Chinese APT Hackers Exploit Microsoft Exchange to Breach Energy Sector Network How to Close the Most Expensive Gap in Your SOC  Latest News Cyber Security News Grafana GitHub Breach Linked to TanStack npm Supply Chain Ransomware Cyber Security News Pardus Linux Local Privilege Escalation Flaw Allows Silent Root Access Cyber Security News FreePBX Vulnerability Allow Attackers to Gain Access to User Portals Cyber Security Critical ExifTool Vulnerability Allows Attackers to Compromise Macs via Single Malicious Image Cyber Security News Hackers Use Single-Letter Go Module Typosquat to Deploy DNS-Based Backdoor