{"id":250991,"date":"2026-05-20T13:27:00","date_gmt":"2026-05-20T17:27:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/pintheft-linux-vulnerability-let-attackers-gain-root-access\/"},"modified":"2026-05-21T01:30:08","modified_gmt":"2026-05-21T05:30:08","slug":"pintheft-linux-vulnerability-let-attackers-gain-root-access","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/pintheft-linux-vulnerability-let-attackers-gain-root-access\/","title":{"rendered":"PinTheft Linux Vulnerability Let Attackers Gain Root Access"},"content":{"rendered":"<p><a href=\"https:\/\/cybersecuritynews.com\/pintheft-linux-vulnerability\/\">PinTheft Linux Vulnerability Let Attackers Gain Root Access<\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/pintheft-linux-vulnerability\/\">https:\/\/cybersecuritynews.com\/pintheft-linux-vulnerability\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-20 13:27:00<\/a><\/p>\n<p>Source Domain: <a href=\"cybersecuritynews.com\">cybersecuritynews.com<\/a><\/p>\n<p>A proof-of-concept (PoC) exploit was published for a new Linux Local Privilege Escalation (LPE) vulnerability dubbed \u201cPinTheft.\u201d<\/p>\n<p>Discovered by Aaron Esau of the V12 security team, the flaw allows local attackers to gain root access by exploiting an RDS zerocopy double-free bug.<\/p>\n<p>A kernel patch is currently available, prompting the researchers to release their PoC code to the public.<\/p>\n<p>PinTheft joins a growing list of recently disclosed Linux kernel vulnerabilities, underscoring the ongoing security challenges within complex kernel networking and asynchronous I\/O subsystems.<\/p>\n<p>The vulnerability resides within the Reliable Datagram Sockets (RDS) zerocopy send path. Specifically, the function rds_message_zcopy_from_user() pins user pages one at a time during execution.<\/p>\n<p>If a subsequent page faults, the error path drops the pages it already pinned. A critical flaw emerges during later RDS message cleanup, which drops these pages a second time because the scatterlist entries and entry count remain active after the zcopy notifier clears.<\/p>\n<p>This double-free condition allows each failed zerocopy send to steal exactly one reference from the first page.<\/p>\n<p>To weaponize this reference count bug, the PinTheft exploit leverages io_uring. The attacker registers an anonymous page as a fixed buffer, assigning the page a FOLL_PIN bias of 1024 references.<\/p>\n<p>The exploit then systematically steals these references through failing RDS zerocopy sends until io_uring is left holding a stolen page pointer. This unique methodology of stealing FOLL_PIN references is what gives the exploit its name.<\/p>\n<h2 class=\"wp-block-heading\" id=\"exploitation-methodology\"><strong>PinTheft Linux Vulnerability Exploit<\/strong><\/h2>\n<p>The PoC repository provides a highly structured exploitation sequence to achieve root access while attempting to prevent permanent system corruption. The attack execution follows a precise chain of events:<\/p>\n<ul class=\"wp-block-list\">\n<li>Target selection locates a readable SUID-root binary, prioritizing executables like \/usr\/bin\/su, \/usr\/bin\/mount, or&#8230;<\/li>\n<\/ul>\n<p><a href=\"https:\/\/cybersecuritynews.com\/pintheft-linux-vulnerability\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PinTheft Linux Vulnerability Let Attackers Gain Root Access https:\/\/cybersecuritynews.com\/pintheft-linux-vulnerability\/ Publish Date: 2026-05-20 13:27:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":250993,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"http:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/PinTheft-Linux-Vulnerability.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[31,89,71,57,27],"class_list":["post-250991","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-exploit","tag-flaw","tag-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/250991"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=250991"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/250991\/revisions"}],"predecessor-version":[{"id":250995,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/250991\/revisions\/250995"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/250993"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=250991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=250991"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=250991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}