PoC Exploit Released for PinTheft Arch Linux Root Privilege Escalation Flaw
A proof-of-concept exploit has been released for PinTheft, a Linux kernel privilege escalation vulnerability that primarily affects Arch Linux systems, allowing local attackers to gain root access.
Security researchers from the V12 team have publicly released a proof-of-concept (PoC) exploit for a newly discovered Linux kernel privilege escalation vulnerability dubbed PinTheft. The flaw, which resides in the kernel's Reliable Datagram Sockets (RDS) subsystem, allows a local attacker to escalate privileges to root on affected systems. While a CVE identifier has not yet been assigned, the vulnerability was patched earlier this month, and the public exploit now raises the urgency for unpatched installations.
The PinTheft vulnerability exploits a double-free bug in the RDS zerocopy send path. According to V12's advisory, the function `rds_message_zcopy_from_user()` pins user pages one at a time. If a later page faults during this process, the error path drops the pages already pinned, but subsequent RDS message cleanup drops them again because the scatterlist entries and entry count remain live after the zcopy notifier is cleared. This allows each failed zerocopy send to steal one reference from the first page, ultimately enabling a page-cache overwrite through io_uring fixed buffers.
The PoC exploit works by stealing FOLL_PIN references until io_uring is left holding a stolen page pointer, which can then be leveraged to obtain a root shell. However, successful exploitation requires several conditions: the RDS kernel module must be loaded, the io_uring Linux I/O API must be enabled, a readable SUID-root binary must be present, and the system must be x86_64 to support the included payload. These requirements significantly limit the attack surface.
Crucially, V12 noted that among common Linux distributions, the RDS module is enabled by default only on Arch Linux. This makes Arch Linux the primary distribution at risk, though other systems with the RDS module manually loaded could also be vulnerable. The researchers emphasized that "the RDS kernel module this requires is only default on Arch Linux among the common distributions we tested."
Administrators are strongly advised to install the latest kernel updates as soon as possible. For those unable to patch immediately, V12 provided a mitigation that blocks exploitation by removing the RDS modules and blacklisting them via modprobe configuration. The commands are: `rmmod rds_tcp rds` followed by adding `install rds /bin/false` and `install rds_tcp /bin/false` to `/etc/modprobe.d/pintheft.conf`.
This disclosure comes amid a wave of Linux local privilege escalation vulnerabilities that have surfaced in recent weeks. Other notable flaws include DirtyDecrypt, DirtyCBC, Fragnesia, Dirty Frag, and Copy Fail, some of which have already seen active exploitation in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its Known Exploited Vulnerabilities catalog on May 1, ordering federal agencies to patch within two weeks.
The PinTheft vulnerability underscores the ongoing challenge of securing the Linux kernel against privilege escalation attacks. While the exploit's limited scope—primarily affecting Arch Linux—may reduce the overall threat, the availability of a public PoC means that unpatched systems are now at increased risk. Users and administrators should prioritize applying the latest kernel updates and implementing the recommended mitigations to protect against potential attacks.