Back

New PinTheft Vulnerability Allows Root Access on Arch Linux

Severity: High (Score: 65.2)

Sources: Bleepingcomputer, github.com, Cybersecuritynews

Published: 2026-05-20 · Updated: 2026-05-20

Keywords: linux, pintheft, vulnerability, root, exploit, escalation, attackers

Severity indicators: vulnerability, ot

Summary

A new Linux privilege escalation vulnerability, named PinTheft, has been discovered, allowing local attackers to gain root access on Arch Linux systems. The flaw, identified by the V12 security team, exploits an RDS zerocopy double-free bug in the Linux kernel. A proof-of-concept (PoC) exploit has been released, which requires specific conditions such as the RDS module being loaded and io_uring being enabled. The vulnerability is currently unassigned a CVE ID but has been patched earlier this month. Users are advised to update their kernels immediately, while those unable to patch can implement mitigations. This incident follows a series of other local privilege escalation vulnerabilities disclosed recently, some of which were actively exploited. The RDS module is primarily enabled by default only on Arch Linux among major distributions, limiting the attack surface. Security researchers have also noted that threat actors are exploiting other related vulnerabilities. Key Points: • PinTheft allows local attackers to escalate privileges to root on Arch Linux systems. • A proof-of-concept exploit has been released, requiring specific conditions for successful exploitation. • Users are urged to apply kernel updates immediately to mitigate the risk.

Detailed Analysis

**Impact** The vulnerability affects Arch Linux systems with the RDS kernel module enabled by default, limiting the scope primarily to this distribution. Local attackers can gain root privileges, potentially compromising system integrity and sensitive data. The exploit requires specific conditions, reducing the overall attack surface but posing significant risk to affected systems in any sector using Arch Linux, particularly those relying on SUID-root binaries and io_uring. No specific geographic or sectoral data is provided. **Technical Details** PinTheft exploits a double-free bug in the Linux kernel's RDS zerocopy send path (rds_message_zcopy_from_user()), enabling page-cache overwrite through io_uring fixed buffers. The attack requires the RDS module loaded, io_uring enabled, a readable SUID-root binary, and x86_64 architecture. A proof-of-concept exploit was released by the V12 security team; no CVE ID has been assigned yet. The vulnerability is a local privilege escalation targeting the kernel, impacting the post-exploitation and privilege escalation stages of the kill chain. No IOCs are provided. **Recommended Response** Apply the latest Linux kernel updates that patch the RDS zerocopy double-free vulnerability immediately. For systems that cannot be patched promptly, disable the RDS kernel module to mitigate exploitation. Monitor for unusual local privilege escalation attempts and ensure that io_uring is disabled if not required. No additional detection rules or IOCs are specified in the available information.

Source articles (3)

  • PinTheft Linux Vulnerability Let Attackers Gain Root Access — Cybersecuritynews · 2026-05-20
    A proof-of-concept (PoC) exploit was published for a new Linux Local Privilege Escalation (LPE) vulnerability dubbed “PinTheft.” Discovered by Aaron Esau of the V12 security team, the flaw allows loca…
  • DirtyDecrypt — github.com · 2026-05-20
  • Exploit released for new PinTheft Arch Linux root escalation flaw — Bleepingcomputer · 2026-05-20
    A recently patched Linux privilege escalation vulnerability now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems. The v…

Timeline

  • 2026-05-01 — CISA adds Copy Fail to exploited vulnerabilities list: CISA identified Copy Fail as actively exploited and ordered agencies to secure Linux systems.
  • 2026-05-01 — Patch released for PinTheft vulnerability: A kernel patch was made available to address the newly discovered PinTheft vulnerability.
  • 2026-05-20 — PoC exploit for PinTheft published: A proof-of-concept exploit for the PinTheft vulnerability was released by the V12 security team.

Related entities

  • Privilege Escalation (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Cybersecurity and Infrastructure Security Agency (Company)
  • V12 Security Team (Company)
  • CWE-269 - Improper Privilege Management (Cwe)
  • Cwe-415 - Double Free (Cwe)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • Arch Linux (Platform)
  • Linux (Platform)
  • Copy Fail (Vulnerability)
  • DirtyCBC (Vulnerability)
  • DirtyDecrypt (Vulnerability)
  • Dirty Frag (Vulnerability)
  • Fragnesia (Vulnerability)
  • Pack2TheRoot (Vulnerability)
  • PinTheft (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed