PinTheft Linux Flaw Grants Root Access; Vulnerability Attackers

Security researchers have released a proof-of-concept (PoC) exploit for “PinTheft,” a newly identified Local Privilege Escalation (LPE) vulnerability impacting Linux systems.

Discovered by Aaron Esau of the V12 security team, the flaw allows local attackers to gain root access by exploiting an RDS zerocopy double-free bug.

A kernel patch is currently available, prompting the researchers to release their PoC code to the public.

PinTheft joins a growing list of recently disclosed Linux kernel vulnerabilities, underscoring the ongoing security challenges within complex kernel networking and asynchronous I/O subsystems.

The vulnerability resides within the Reliable Datagram Sockets (RDS) zerocopy send path. Specifically, the function rds_message_zcopy_from_user() pins user pages one at a time during execution.

If a subsequent page faults, the error path drops the pages it already pinned. A critical flaw emerges during later RDS message cleanup, which drops these pages a second time because the scatterlist entries and entry count remain active after the zcopy notifier clears.

This double-free condition allows each failed zerocopy send to steal exactly one reference from the first page.

To weaponize this reference count bug, the PinTheft exploit leverages io_uring. The attacker registers an anonymous page as a fixed buffer, assigning the page a FOLL_PIN bias of 1024 references.

The exploit then systematically steals these references through failing RDS zerocopy sends until io_uring is left holding a stolen page pointer. This unique methodology of stealing FOLL_PIN references is what gives the exploit its name.

PinTheft Linux Vulnerability Exploit

The PoC repository provides a highly structured exploitation sequence to achieve root access while attempting to prevent permanent system corruption. The attack execution follows a precise chain of events:

• Target selection locates a readable SUID-root binary, prioritizing executables like /usr/bin/su, /usr/bin/mount, or /usr/bin/passwd.
• A safety backup of the on-disk binary is created before exploitation to allow for manual restoration.
• Page setup maps two pages and marks the second with PROT_NONE so a two-page RDS zcopy send will predictably fault.
• Fixed-buffer registration pins the target page using IORING_REGISTER_BUFFERS, adding 1024 references.
• A daemon child holds a cloned fixed buffer open, preventing io_buffer_unmap() from corrupting reclaimed pages later.
• Reference theft occurs as the exploit executes 1024 failing RDS zerocopy sends, double-dropping the first page during error cleanup.
• Page-cache reclaim evicts the SUID binary’s first page, reallocating it immediately so the stale io_uring fixed-buffer entry points to a live page cache.
• A dangling fixed-buffer write uses IORING_OP_READ_FIXED to overwrite the cache with a small malicious ELF payload, granting a root shell upon execution.

While the exploitation primitive is architecture-independent, the embedded shell ELF provided in the PoC is specifically compiled for x86_64 environments. The vulnerability requires a specific kernel configuration to trigger successfully.

• CONFIG_RDS and CONFIG_RDS_TCP must be enabled.
• CONFIG_IO_URING must be active with io_uring_disabled=0.
• The system must allow module autoloading to request TCP transport.

Default exposure is somewhat limited across major distributions. According to the V12 research team, the required RDS kernel module is only enabled by default on Arch Linux among the common distributions tested.

Furthermore, researchers warn that running the exploit alters the in-memory page cache of critical SUID binaries.

Rebooting or dropping caches will clear the memory overwrite, but testers on disposable machines must be careful not to leave systems in a state where common programs execute the payload unexpectedly.

Administrators are strongly advised to apply the latest kernel patches from their distribution maintainers. For systems where patching is immediately unfeasible or RDS is unnecessary, administrators can mitigate the threat by entirely blacklisting the vulnerable modules.

Executing the following command prevents the RDS modules from loading upon boot:
printf 'install rds /bin/falseninstall rds_tcp /bin/falsen' > /etc/modprobe.d/pintheft.conf
Administrators should also immediately remove active modules from running systems using rmmod rds_tcp rds.

The release of the PinTheft PoC coincides with a surge in Linux kernel exploit disclosures. Recently, security researchers released PoC exploits targeting other patched Linux LPEs, tracked as DirtyDecrypt and DirtyCBC.

These vulnerabilities share conceptual similarities with previous high-profile root-escalation flaws such as Dirty Frag, Fragnesia, and Copy Fail, highlighting an ongoing trend of attackers and researchers discovering complex memory-corruption primitives in core Linux systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.