Public exploit for PinTheft Linux kernel privilege escalation vulnerability released
Summary
Hide ▲
Show ▼
A proof-of-concept exploit for the PinTheft Linux kernel privilege escalation vulnerability has been publicly released, enabling local attackers to gain root access on Arch Linux systems. The flaw is a zero-copy double-free bug in the Linux kernel's Reliable Datagram Sockets (RDS) implementation that allows page-cache overwrites through io_uring fixed buffers. Exploitation requires the RDS kernel module to be loaded, io_uring enabled, a readable SUID-root binary, and x86_64 support. Successful exploitation leads to arbitrary root shell acquisition via stolen FOLL_PIN references.
Timeline
-
20.05.2026 13:52 1 articles · 9h ago
PinTheft PoC exploit released, enabling root escalation on Arch Linux systems
A fully functional proof-of-concept exploit for the PinTheft Linux kernel privilege escalation vulnerability was released by V12. The exploit leverages a RDS zero-copy double-free bug to overwrite page cache via io_uring fixed buffers, enabling local attackers to steal FOLL_PIN references and obtain root shells. Exploitation requires specific kernel configurations: RDS module loaded, io_uring enabled, readable SUID-root binary, and x86_64 support. The RDS module is enabled by default only on Arch Linux, restricting the attack surface. The flaw was patched earlier in May 2026, but the public exploit increases exposure risk for unpatched systems.
Show sources
- Exploit released for new PinTheft Arch Linux root escalation flaw — www.bleepingcomputer.com — 20.05.2026 13:52
Information Snippets
-
PinTheft is a Linux local privilege escalation exploit targeting a zero-copy double-free vulnerability in the RDS (Reliable Datagram Sockets) kernel module.
First reported: 20.05.2026 13:521 source, 1 articleShow sources
- Exploit released for new PinTheft Arch Linux root escalation flaw — www.bleepingcomputer.com — 20.05.2026 13:52
-
The vulnerability allows attackers to overwrite page cache via io_uring fixed buffers, enabling root shell escalation by stealing FOLL_PIN references.
First reported: 20.05.2026 13:521 source, 1 articleShow sources
- Exploit released for new PinTheft Arch Linux root escalation flaw — www.bleepingcomputer.com — 20.05.2026 13:52
-
Successful exploitation requires the RDS kernel module to be loaded, io_uring enabled, a readable SUID-root binary, and x86_64 system support.
First reported: 20.05.2026 13:521 source, 1 articleShow sources
- Exploit released for new PinTheft Arch Linux root escalation flaw — www.bleepingcomputer.com — 20.05.2026 13:52
-
The RDS module is enabled by default only on Arch Linux among common distributions, significantly limiting the attack surface.
First reported: 20.05.2026 13:521 source, 1 articleShow sources
- Exploit released for new PinTheft Arch Linux root escalation flaw — www.bleepingcomputer.com — 20.05.2026 13:52
-
A public proof-of-concept exploit was released by V12, demonstrating root privilege escalation using the described technique.
First reported: 20.05.2026 13:521 source, 1 articleShow sources
- Exploit released for new PinTheft Arch Linux root escalation flaw — www.bleepingcomputer.com — 20.05.2026 13:52
-
The vulnerability was patched in the Linux kernel earlier in May 2026 but now faces active exploitation risks due to the PoC release.
First reported: 20.05.2026 13:521 source, 1 articleShow sources
- Exploit released for new PinTheft Arch Linux root escalation flaw — www.bleepingcomputer.com — 20.05.2026 13:52