PinTheft — Linux kernel RDS zerocopy double-free + io_uring fixed-buffer page-cache overwrite LPE; PoC public; no CVE assigned; Arch Linux default-loaded (not Ubuntu/Debian/Fedora/RHEL/SUSE)

Aaron Esau (V12 Security) disclosed PinTheft on 2026-05-19 via the oss-security mailing list — a Linux kernel local privilege escalation that chains an RDS (Reliable Datagram Sockets) zerocopy double-free with io_uring fixed-buffer reference manipulation to overwrite the page cache of a SUID-root binary and gain root (oss-security / V12 Security, 2026-05-19; BleepingComputer, 2026-05-20). The bug lives in rds_message_zcopy_from_user() in the RDS send path: a partial page fault mid-scatter causes the error path to drop already-pinned pages while leaving the scatterlist bookkeeping live, so cleanup drops the pages a second time. The exploit registers an anonymous memory page as an io_uring fixed buffer (FOLL_PIN bias of 1024 references), drains all references via 1024 deliberately-failing RDS sends, then reuses the stale io_uring page pointer to overwrite the page cache of a SUID-root binary and redirect execution to attacker shellcode. Prerequisites: RDS kernel module loaded, io_uring enabled, a readable SUID-root binary, x86_64. The RDS module is default-loaded only on Arch Linux — not on Ubuntu, Fedora, Debian, RHEL or SUSE — narrowing the primary defender population to Arch CI/CD runners, developer workstations and AUR-based servers, plus any environment that explicitly modprobe'd rds. Upstream kernel patch landed before disclosure; no CVE assigned at disclosure. Technique class: T1068 Exploitation for Privilege Escalation. Defender detection — auditd syscall events for rds_sendmsg / io_uring_* from unexpected binaries; Sysmon Linux EID 1 with process lineage showing a non-root process spawning a root shell without sudo/su. Hardening: modprobe.d blacklist rds if not in use; sysctl kernel.io_uring_disabled=2 for untrusted workloads; apply upstream kernel patch when distributed via the distro's normal update channel.