Back

New PinTheft Vulnerability Exposes Arch Linux to Root Escalation Attacks

Severity: High (Score: 70.5)

Sources: Bleepingcomputer, Securityaffairs.Co, github.com, Cybersecuritynews

Published: 2026-05-20 · Updated: 2026-05-21

Keywords: linux, pintheft, vulnerability, root, exploit, escalation, attackers

Severity indicators: vulnerability, ot

Summary

A newly discovered Linux privilege escalation vulnerability, named PinTheft, allows local attackers to gain root access on Arch Linux systems by exploiting a flaw in the RDS subsystem. The vulnerability, identified by the V12 security team, involves a zerocopy double-free bug that can be exploited through a proof-of-concept (PoC) exploit released on May 20, 2026. This flaw requires specific conditions, including the RDS module being enabled, io_uring API support, and a readable SUID-root binary, limiting its attack surface. Users of Arch Linux are particularly at risk, as the RDS module is enabled by default on this distribution. Security experts recommend immediate kernel updates to mitigate the risk. The release of this exploit follows a trend of recent Linux local privilege escalation vulnerabilities, with several others disclosed in the past weeks. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued warnings regarding similar vulnerabilities being actively exploited. Organizations are urged to patch their systems promptly to prevent potential attacks. Key Points: • PinTheft allows local attackers to escalate privileges to root on Arch Linux systems. • The vulnerability exploits a flaw in the RDS subsystem and requires specific conditions to be met. • Immediate kernel updates are recommended for Arch Linux users to mitigate the risk.

Detailed Analysis

**Impact** Arch Linux users are primarily affected due to the default enabling of the RDS kernel module on this distribution. Local attackers can escalate privileges to root, potentially compromising entire systems. The vulnerability does not appear to impact other major Linux distributions by default, limiting the overall scope. No specific sectors or geographic regions were identified in the reports. **Technical Details** The vulnerability, named PinTheft, is a local privilege escalation exploiting a double-free bug in the Linux kernel's RDS zerocopy send path, specifically in the function rds_message_zcopy_from_user(). Exploitation requires the RDS module loaded, io_uring enabled, a readable SUID-root binary, and x86_64 architecture. The exploit steals FOLL_PIN references to achieve a page-cache overwrite and obtain a root shell. No CVE ID has been assigned yet. Public proof-of-concept exploit code is available. **Recommended Response** Apply the latest Linux kernel patches released earlier in May 2026 immediately, especially on Arch Linux systems. If patching is delayed, disable the RDS kernel module to mitigate exploitation risk. Monitor for unusual local privilege escalation attempts and the presence of the published PoC exploit. No additional IOCs or detection rules were provided in the available sources.

Source articles (4)

  • PinTheft Linux Vulnerability Let Attackers Gain Root Access — Cybersecuritynews · 2026-05-20
    A proof-of-concept (PoC) exploit was published for a new Linux Local Privilege Escalation (LPE) vulnerability dubbed “PinTheft.” Discovered by Aaron Esau of the V12 security team, the flaw allows loca…
  • DirtyDecrypt — github.com · 2026-05-20
  • PinTheft: Another Linux Privilege Escalation, Another Working Exploit, This Time Targeting Arch — Securityaffairs.Co · 2026-05-20
    PinTheft is a Linux LPE flaw in the RDS subsystem with public exploit code. Arch Linux users face the highest risk and should patch immediately. The wave of Linux local privilege escalation vulnerabil…
  • Exploit released for new PinTheft Arch Linux root escalation flaw — Bleepingcomputer · 2026-05-20
    A recently patched Linux privilege escalation vulnerability now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems. The v…

Timeline

  • 2026-05-01 — CISA adds Copy Fail to exploited vulnerabilities list: CISA reported that the Copy Fail vulnerability was actively exploited, urging agencies to secure Linux systems.
  • 2026-05-20 — PinTheft PoC exploit released: A proof-of-concept exploit for the PinTheft vulnerability was made public, allowing root access on Arch Linux.
  • 2026-05-20 — V12 security team discovers PinTheft: The V12 security team identified the PinTheft vulnerability in the RDS subsystem of the Linux kernel.

Related entities

  • Privilege Escalation (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Cybersecurity and Infrastructure Security Agency (Company)
  • V12 Security Team (Company)
  • CWE-269 - Improper Privilege Management (Cwe)
  • Cwe-415 - Double Free (Cwe)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • Arch Linux (Platform)
  • Linux (Platform)
  • Copy Fail (Vulnerability)
  • DirtyCBC (Vulnerability)
  • DirtyDecrypt (Vulnerability)
  • Dirty Frag (Vulnerability)
  • Fragnesia (Vulnerability)
  • Pack2TheRoot (Vulnerability)
  • PinTheft (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed