PinTheft Arch – A patched Linux privilege escalation flaw dubbed PinTheft has a publicly available proof-of-concept that can let local attackers gain root on Arch Linux systems, provided several specific conditions are met. Security researchers urge users to install the lates
The warning landed quietly, but the consequence is blunt: a recently patched Linux privilege escalation flaw now has a publicly available proof-of-concept exploit that can hand local attackers root privileges on Arch Linux.
The vulnerability is named PinTheft by the V12 security team and is still waiting to be assigned a CVE ID for easier tracking. It was patched earlier this month, but the new PoC changes the urgency for administrators who thought the fix had closed the door.
PinTheft targets the Linux kernel’s RDS (Reliable Datagram Sockets) and centers on an RDS zerocopy double-free. In a Tuesday advisory. V12 described how the bug lives in the RDS zerocopy send path: rds_message_zcopy_from_user pins user pages one at a time. If a later page faults, the error path drops the pages it already pinned. Then. later RDS message cleanup drops them again because the scatterlist entries and entry count remain live after the zcopy notifier is cleared. V12 also wrote that each failed zerocopy send can steal one reference from the first page.
The PoC released by V12 is built to exploit that behavior into a root shell. It steals FOLL_PIN references until io_uring is left holding a stolen page pointer, allowing it to obtain a root shell.
But PinTheft isn’t a universal break. V12 says exploitation requires the RDS module loaded on the target system, plus the io_uring Linux I/O API enabled, a readable SUID-root binary, and x86_64 support for the included payload. Those requirements shrink the set of systems that are plausibly exposed.
Even so, the limiter is harsh. V12 stated that the RDS kernel module required for the exploit is enabled by default only on Arch Linux among the common Linux distributions they tested.
“Sadly, the RDS kernel module this requires is only default on Arch Linux among the common distributions we tested,” V12 added.
V12’s recommendation is straightforward: Linux users on affected distros should install the latest kernel updates as soon as possible.
For administrators who can’t patch immediately, the advisory includes a mitigation aimed at blocking exploitation attempts by removing the relevant modules and preventing them from loading. The steps listed are:
rmmod rds_tcp rds
printf ‘install rds /bin/falseninstall rds_tcp /bin/falsen’ > /etc/modprobe.d/pintheft.conf
This comes amid a run of other Linux local privilege escalation disclosures in recent weeks. Some were described as zero-days with no security patches available when the issue was revealed.
Over the weekend, V12’s details followed a wave of PoC exploits targeting another recently patched Linux LPE tracked as DirtyDecrypt and DirtyCBC. Those flaws are part of the same vulnerability class as several other root-escalation issues, including Dirty Frag, Fragnesia, and Copy Fail.
The Copy Fail thread has also moved from research into real-world response. Reports say threat actors have started actively exploiting the Copy Fail vulnerability in attacks. The Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its list of flaws exploited in attacks on May 1 and ordered government agencies to secure their Linux systems within two weeks.
And last month, Linux distributions rolled out security patches for a root-privilege escalation vulnerability named Pack2TheRoot. That flaw, found in the PackageKit daemon, had gone unnoticed for more than a decade.
For Arch Linux users, PinTheft is the latest reminder that “patched” doesn’t always end the story. In this case. the PoC’s release makes the timeline for kernel updates feel immediate—especially because V12’s testing suggests the module needed for the exploit starts enabled by default on Arch Linux. more than on other commonly used distributions.
PinTheft Arch Linux Linux kernel RDS io_uring local privilege escalation root shell PoC V12 security cybersecurity mitigation