PinTheft: Another Linux Privilege Escalation, Another Working Exploit, This Time Targeting Arch

Pierluigi Paganini
May 20, 2026

PinTheft is a Linux LPE flaw in the RDS subsystem with public exploit code. Arch Linux users face the highest risk and should patch immediately.

The wave of Linux local privilege escalation vulnerabilities showing up with working exploit code is not slowing down. The latest is PinTheft, discovered by the V12 security team, which affects the Linux kernel’s RDS (Reliable Datagram Sockets) subsystem and already has a public proof-of-concept available. No CVE has been assigned yet, but a patch landed earlier this month.

“PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers.” reads the advisory. “The bug lived in the RDS zerocopy send path. rds_message_zcopy_from_user() pins user pages one at a time. If a later page faults, the error path drops the pages it already pinned, and later RDS message cleanup drops them again because the scatterlist entries and entry count remain live after the zcopy notifier is cleared. Each failed zerocopy send can steal one reference from the first page.”

The vulnerability stems from how the kernel handles page references when a zerocopy send operation fails partway through.

A double-free flaw lets attackers gradually steal memory references until they can overwrite the page cache and gain root access. The exploit uses a technique similar to recent Linux LPE bugs like Dirty Frag, Fragnesia, and Copy Fail.

The attack surface here is significantly narrower than some of the other recent LPEs, and that is worth being precise about. PinTheft requires the RDS kernel module to be loaded, io_uring to be enabled, a readable SUID-root binary on the system, and x86_64 architecture for the included payload to work. The…

Source

PinTheft: Another Linux Privilege Escalation, Another Working Exploit, This Time Targeting Arch