oss-security - PinTheft Linux LPE
Products
Openwall GNU/*/Linux server OS<br>Linux Kernel Runtime Guard<br>John the Ripper password cracker
Free & Open Source for any platform<br>in the cloud<br>Pro for Linux<br>Pro for macOS
Wordlists for password cracking<br>passwdqc policy enforcement
Free & Open Source for Unix<br>Pro for Windows (Active Directory)
yescrypt KDF & password hashing<br>yespower Proof-of-Work (PoW)<br>crypt_blowfish password hashing<br>phpass ditto in PHP<br>tcb better password shadowing<br>Pluggable Authentication Modules<br>scanlogd port scan detector<br>popa3d tiny POP3 daemon<br>blists web interface to mailing lists<br>msulogin single user mode login<br>php_mt_seed mt_rand() cracker
Services<br>Publications
Articles<br>Presentations
Resources
Mailing lists<br>Community wiki<br>Source code repositories (GitHub)<br>File archive & mirrors<br>How to verify digital signatures<br>OVE IDs
What's new
Follow @Openwall on Twitter for new release announcements and other news
[ [next>] [day] [month] [year] [list]
Message-ID:<br>Date: Tue, 19 May 2026 15:36:05 +0100<br>From: Sam James<br>To: oss-security@...ts.openwall.com<br>Subject: PinTheft Linux LPE
v12-security have shared a new Linux LPE today, PinTheft [0].
Quoting their abstract:<br>> PinTheft is a Linux local privilege escalation exploit for an RDS<br>> zerocopy double-free that can be turned into a page-cache overwrite<br>> through io_uring fixed buffers.<br>> PinTheft was discovered with V12 by Aaron Esau of the V12 security<br>> team. We duped on this bug with some other teams and a patch is<br>> available so we are releasing our PoC.<br>> The bug lived in the RDS zerocopy send<br>> path. rds_message_zcopy_from_user() pins user pages one at a time. If<br>> a later page faults, the error path drops the pages it already pinned,<br>> and later RDS message cleanup drops them again because the scatterlist<br>> entries and entry count remain live after the zcopy notifier is<br>> cleared. Each failed zerocopy send can steal one reference from the first page.<br>> The PoC uses io_uring to make that refcount bug useful. It registers<br>> an anonymous page as a fixed buffer, giving the page a FOLL_PIN bias<br>> of 1024 references. It then steals those references with failing RDS<br>> zerocopy sends, frees the page, reclaims it as page cache for a<br>> SUID-root binary, and uses the stale io_uring fixed-buffer page<br>> pointer to overwrite that page cache with a small ELF<br>> payload. Executing the SUID binary drops into a root shell.<br>> Sadly, the RDS kernel module this requires is only default on Arch<br>> Linux among the common distributions we tested.
The referenced kernel module is CONFIG_RDS + CONFIG_RDS_TCP. I attached<br>their PoC too.
[0] https://github.com/v12-security/pocs/tree/09e835b587bf71249775654061ae4c79e92cf430/pintheft
thanks,<br>sam
View attachment " poc.c" of type " text/plain" (28215 bytes)
Download attachment " signature.asc" of type " application/pgp-signature" (419 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this<br>mailing list.
Confused about mailing lists and their use?<br>Read about mailing lists on Wikipedia<br>and check out these<br>guidelines on proper formatting of your messages.