PinTheft Linux Vulnerability Let Attackers Gain Root Access
PinTheft Linux Vulnerability Let Attackers Gain Root Access
https://cybersecuritynews.com/pintheft-linux-vulnerability/
Publish Date: 2026-05-20 13:27:00
Source Domain: cybersecuritynews.com
A proof-of-concept (PoC) exploit was published for a new Linux Local Privilege Escalation (LPE) vulnerability dubbed “PinTheft.”
Discovered by Aaron Esau of the V12 security team, the flaw allows local attackers to gain root access by exploiting an RDS zerocopy double-free bug.
A kernel patch is currently available, prompting the researchers to release their PoC code to the public.
PinTheft joins a growing list of recently disclosed Linux kernel vulnerabilities, underscoring the ongoing security challenges within complex kernel networking and asynchronous I/O subsystems.
The vulnerability resides within the Reliable Datagram Sockets (RDS) zerocopy send path. Specifically, the function rds_message_zcopy_from_user() pins user pages one at a time during execution.
If a subsequent page faults, the error path drops the pages it already pinned. A critical flaw emerges during later RDS message cleanup, which drops these pages a second time because the scatterlist entries and entry count remain active after the zcopy notifier clears.
This double-free condition allows each failed zerocopy send to steal exactly one reference from the first page.
To weaponize this reference count bug, the PinTheft exploit leverages io_uring. The attacker registers an anonymous page as a fixed buffer, assigning the page a FOLL_PIN bias of 1024 references.
The exploit then systematically steals these references through failing RDS zerocopy sends until io_uring is left holding a stolen page pointer. This unique methodology of stealing FOLL_PIN references is what gives the exploit its name.
PinTheft Linux Vulnerability Exploit
The PoC repository provides a highly structured exploitation sequence to achieve root access while attempting to prevent permanent system corruption. The attack execution follows a precise chain of events:
- Target selection locates a readable SUID-root binary, prioritizing executables like /usr/bin/su, /usr/bin/mount, or…
