Ethical Hacking News
A new, highly exploitable vulnerability has been discovered in the Linux kernel's RDS module, which could allow local attackers to gain root privileges on affected systems. The PinTheft vulnerability was previously patched earlier this month but a publicly available proof-of-concept exploit has now been released.
Researchers at V12 security discovered a highly exploitable vulnerability in the Linux kernel's RDS (Reliable Datagram Sockets) module, dubbed "PinTheft". The PinTheft vulnerability exists in the RDS zerocopy double-free path and can be exploited through io_uring fixed buffers. The bug creates a situation where an attacker can obtain a root shell by stealing reference from the first page after multiple failed zerocopy sends. Specific conditions are required to exploit the vulnerability, including: enabling the io_uring Linux I/O API, having a readable SUID-root binary, and x86_64 support for the included payload. The RDS kernel module is only enabled by default on Arch Linux among common distributions. Mitigation strategies include installing latest kernel updates, modifying the /etc/modprobe.d/pintheft.conf file to block exploitation attempts.
A new, highly exploitable vulnerability has been discovered in the Linux kernel's RDS (Reliable Datagram Sockets) module, which could allow local attackers to gain root privileges on affected systems. The vulnerability, dubbed "PinTheft" by researchers at V12 security, was previously patched earlier this month but a publicly available proof-of-concept (PoC) exploit has now been released.
According to V12, the PinTheft vulnerability exists in the RDS zerocopy double-free path and can be exploited through io_uring fixed buffers. The bug involves a race condition where user pages are pinned one at a time, but later page faults cause the error path to drop the already pinned pages, only to have them dropped again when the RDS message cleanup phase is triggered.
This creates a situation where each failed zerocopy send can steal one reference from the first page, effectively allowing an attacker to obtain a root shell. However, in order to exploit this vulnerability, the PinTheft exploit requires specific conditions to be met, including:
* The io_uring Linux I/O API being enabled
* A readable SUID-root binary
* x86_64 support for the included payload
V12 notes that the RDS kernel module is only enabled by default on Arch Linux among the most common Linux distributions.
In response to this newly disclosed vulnerability, security researchers have released a PoC exploit and several mitigation strategies for affected systems. These include:
* Installing the latest kernel updates as soon as possible
* Modifying the /etc/modprobe.d/pintheft.conf file to block exploitation attempts by removing the RDS_tcp and rds modules
The PinTheft vulnerability is just one of several recent Linux local privilege escalation (LPE) vulnerabilities that have been disclosed, including DirtyDecrypt and DirtyCBC. These disclosures follow reports that threat actors have started actively exploiting Copy Fail, a root-escalation flaw that was added to the list of flaws exploited in attacks by the Cybersecurity and Infrastructure Security Agency (CISA).
The recent flurry of Linux LPE vulnerability disclosures highlights the ongoing importance of keeping system software up-to-date and implementing robust security controls.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Linux-Root-Escalation-Flaw-Exposed-PinTheft-Arch-Linux-Vulnerability-Revealed-ehn.shtml
https://www.bleepingcomputer.com/news/linux/exploit-released-for-new-pintheft-arch-linux-root-escalation-flaw/
Published: Wed May 20 07:09:35 2026 by llama3.2 3B Q4_K_M
