RSS

Exploit released for new PinTheft Arch Linux root escalation flaw

Brajeshwar1 pts0 comments

Exploit released for new PinTheft Arch Linux root escalation flaw

Home<br>News<br>Linux<br>Exploit released for new PinTheft Arch Linux root escalation flaw

Exploit released for new PinTheft Arch Linux root escalation flaw

By Sergiu Gatlan

May 20, 2026

06:52 AM

A recently patched Linux privilege escalation vulnerability now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems.

The vulnerability, named PinTheft by the V12 security team and still waiting to be assigned a CVE ID for easier tracking, exists in the Linux kernel's RDS (Reliable Datagram Sockets) and was patched earlier this month.

"PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers," V12 said in a Tuesday advisory.

"The bug lived in the RDS zerocopy send path. rds_message_zcopy_from_user() pins user pages one at a time. If a later page faults, the error path drops the pages it already pinned, and later RDS message cleanup drops them again because the scatterlist entries and entry count remain live after the zcopy notifier is cleared. Each failed zerocopy send can steal one reference from the first page."

V12 also released a PoC exploit that steals FOLL_PIN references until io_uring is left holding a stolen page pointer, allowing it to obtain a root shell.

However, in addition to having the RDS module loaded on the target system, PinTheft also requires specific conditions for successful exploitation, including the io_uring Linux I/O API being enabled, a readable SUID-root binary, and x86_64 support for the included payload.

This drastically limits the attack surface, with V12 stating that the RDS module is enabled by default only on Arch Linux out of the most common Linux distros.

"Sadly, the RDS kernel module this requires is only default on Arch Linux among the common distributions we tested," V12 added.

PinTheft LPE exploit on Arch Linux (Will Dormann)

Linux users on affected distros are advised to install the latest kernel updates as soon as possible.

However, those who can't immediately patch their devices can also use the following mitigation to block exploitation attempts:

rmmod rds_tcp rds<br>printf 'install rds /bin/false\ninstall rds_tcp /bin/false\n' > /etc/modprobe.d/pintheft.conf

This comes after a wave of other Linux local privilege escalation (LPE) vulnerabilities were disclosed over the past several weeks, some of which were zero-days with no security patches available.

Over the weekend, security researchers released PoC exploits targeting another recently patched Linux LPE (tracked as DirtyDecrypt and DirtyCBC), which belongs to the same vulnerability class as several other root-escalation flaws, including Dirty Frag, Fragnesia, and Copy Fail.

These disclosures also follow reports that threat actors have started actively exploiting the Copy Fail vulnerability in attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has added Copy Fail to its list of flaws exploited in attacks on May 1 and ordered government agencies to secure their Linux systems within two weeks.

Last month, Linux distros also rolled out security patches for a root-privilege escalation vulnerability (named Pack2TheRoot and found in the PackageKit daemon) that had gone unnoticed for more than a decade.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.<br>This guide covers the 6 surfaces you actually need to validate.

Download Now

Related Articles:

Exploit available for new DirtyDecrypt Linux root escalation flaw<br>New Fragnesia Linux flaw lets attackers gain root privileges<br>New Linux 'Dirty Frag' zero-day gives root on all major distros<br>CISA says &lsquo;Copy Fail&rsquo; flaw now exploited to root Linux systems<br>Recently leaked Windows zero-days now exploited in attacks

Arch Linux

Elevation of Privileges

Linux

Local Privilege Escalation

PinTheft

Privilege Escalation

Root

Sergiu Gatlan

Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article

Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released

Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

Microsoft confirms Windows 11 security update install issues

Sponsor Posts

Learn about emerging cyber-enabled cargo theft threats at NMFTA’s conference

Are stolen sessions bypassing your security? Find out for...

linux root escalation exploit pintheft arch

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.