Skip to content

Exploit for PinTheft Security Vulnerability in Arch Linux Published

The bottom line: The PinTheft exploit for a Linux privilege escalation is now publicly available. The vulnerability primarily affects Arch Linux because the required RDS module is enabled by default there. Users should immediately install kernel updates or disable the RDS module.

A recently patched Linux privilege escalation exploit named PinTheft is now publicly available. The V12 security team has published functional exploit code that allows local attackers to gain root privileges on affected Arch Linux systems.

The PinTheft vulnerability exists in the Linux kernel’s RDS implementation (Reliable Datagram Sockets) and was already patched earlier this month. According to V12, it is a double-free error in the RDS zero-copy path that can be turned into a page cache overwrite via io_uring fixed buffers.

The team explained: The vulnerability arose because rds_message_zcopy_from_user() pins user pages individually. If a later page fails, the error path unpins already pinned pages, and RDS message cleanup unpins them again. Any failed zero-copy send can steal a reference from the first page.

The published exploit leverages these references until io_uring holds a stolen page pointer, enabling root access. However, PinTheft requires specific conditions: the RDS module must be loaded, io_uring enabled, a readable SUID-root binary present, and x86_64 support required.

This significantly limits the attack surface. The RDS kernel module is enabled by default only on Arch Linux – not on other common distributions. Linux users should immediately install available kernel updates. As a workaround, the following commands can be used: rmmod rds_tcp rds and creation of a configuration file in /etc/modprobe.d/pintheft.conf.

This vulnerability is part of a series of Linux privilege escalation exploits disclosed in recent weeks – including DirtyDecrypt, DirtyCBC, and Copy Fail, which are already being actively exploited by cyberattackers. The U.S. agency CISA has added Copy Fail to its list of exploited vulnerabilities and is calling on government agencies to secure their Linux systems within two weeks.

Share on: