ctipilot.ch

PinTheft

trend · trend:pintheft-linux-kernel-rds-zerocopy-iouring-lpe-no-cve-arch-d

PinTheft — Linux kernel RDS zerocopy double-free + io_uring fixed-buffer page-cache overwrite LPE; PoC public; no CVE assigned; Arch Linux default-loaded (not Ubuntu/Debian/Fedora/RHEL/SUSE)

Coverage timeline
1
first 2026-05-21 → last 2026-05-21
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-21PinTheft — Linux kernel local-privilege-escalation primitive (RDS zerocopy double-free + io_uring fixed-buffer page-cache overwrite), PoC public, Arch Linux default-loaded
    researchPinTheft — Linux kernel local-privilege-escalation primitive (RDS zerocopy double-free + io_uring fixed-buffer page-cache overwrite), PoC public, Arch Linux

Where this entity is cited

  • research1

Source distribution

  • bleepingcomputer.com1 (50%)
  • openwall.com1 (50%)

Entries about PinTheft (1)

2026-05-21 · view entry permalink →

PinTheft — Linux kernel local-privilege-escalation primitive (RDS zerocopy double-free + io_uring fixed-buffer page-cache overwrite), PoC public, Arch Linux default-loaded

notable research discovered 2026-05-21 05:00 UTC

Aaron Esau (V12 Security) disclosed PinTheft on 2026-05-19 via the oss-security mailing list — a Linux kernel local privilege escalation that chains an RDS (Reliable Datagram Sockets) zerocopy double-free with io_uring fixed-buffer reference manipulation to overwrite the page cache of a SUID-root binary and gain root (oss-security / V12 Security, 2026-05-19; BleepingComputer, 2026-05-20). The bug lives in rds_message_zcopy_from_user() in the RDS send path: a partial page fault mid-scatter causes the error path to drop already-pinned pages while leaving the scatterlist bookkeeping live, so cleanup drops the pages a second time. The exploit registers an anonymous memory page as an io_uring fixed buffer (FOLL_PIN bias of 1024 references), drains all references via 1024 deliberately-failing RDS sends, then reuses the stale io_uring page pointer to overwrite the page cache of a SUID-root binary and redirect execution to attacker shellcode. Prerequisites: RDS kernel module loaded, io_uring enabled, a readable SUID-root binary, x86_64. The RDS module is default-loaded only on Arch Linux — not on Ubuntu, Fedora, Debian, RHEL or SUSE — narrowing the primary defender population to Arch CI/CD runners, developer workstations and AUR-based servers, plus any environment that explicitly modprobe'd rds. Upstream kernel patch landed before disclosure; no CVE assigned at disclosure. Technique class: T1068 Exploitation for Privilege Escalation. Defender detection — auditd syscall events for rds_sendmsg / io_uring_* from unexpected binaries; Sysmon Linux EID 1 with process lineage showing a non-root process spawning a root shell without sudo/su. Hardening: modprobe.d blacklist rds if not in use; sysctl kernel.io_uring_disabled=2 for untrusted workloads; apply upstream kernel patch when distributed via the distro's normal update channel.

vulnerabilities lpe poc-public patch-available global