www.it-connect.fr
PinTheft Exploit Grants Root Access on Arch Linux
A new proof of concept (PoC) has been released for PinTheft, a Linux vulnerability that was recently patched! Once again, this security flaw allows a local attacker to gain root privileges. Which systems are affected? Here’s what you need to know.
PinTheft Vulnerability Discovered
Discovered by the V12 Security team, the PinTheft vulnerability does not yet have an official CVE identifier, but it is already making headlines. It was found in the RDS (Reliable Datagram Sockets) module of the Linux kernel.
Although a patch was deployed at the beginning of May 2026, the release of this exploit increases the risk for systems that have not yet been updated. After the discovery of several flaws such as Fragnesia, Dirty Frag, or more recently DirtyDecrypt, here is yet another reason to keep your Linux machine up to date. In less than a month, this is the fifth flaw enabling local privilege escalation on Linux.
According to the security bulletin published by the V12 team: "PinTheft is a local Linux privilege escalation exploit based on an RDS zerocopy double-free that can be turned into a page cache rewrite via io_uring fixed buffers."
Technical details are available on GitHub, along with the poc.c file that makes it possible to exploit this Linux security flaw. But which Linux distributions are vulnerable?
Who Is Affected by the PinTheft Exploit?
Unlike other recent exploits discovered lately, this one does not affect the majority of Linux distributions. That is good news. In fact, exploiting PinTheft requires several specific conditions to be met:
- The RDS module must be loaded on the target system.
- The Linux I/O API
io_uringmust be enabled. - A SUID-root binary must be available for reading.
- The included payload must support the x86_64 architecture.
What eliminates many distributions is the first requirement. According to the V12 Security team, "the required RDS kernel module is enabled by default only on Arch Linux among the common distributions we tested.". Arch Linux is therefore directly impacted by PinTheft, because the module is enabled and can be loaded on demand.
It is highly recommended that you install the latest Linux kernel updates to protect yourself. Another option is to completely block exploitation attempts by disabling the RDS module on the Linux machine.
Here are the commands to run:
rmmod rds_tcp rds
printf 'install rds /bin/false\ninstall rds_tcp /bin/false\n' > /etc/modprobe.d/pintheft.confIf you want to check whether this module is loaded in memory, simply run this command:
lsmod | grep rdsIf the command returns nothing, you are good to go.
I did some research on the RDS module, which is a network protocol. There are references in an Oracle document, especially when using InfiniBand connections and Oracle RAC-type database infrastructures.
