PinTheft is a Linux LPE flaw in the RDS subsystem with public exploit code. Arch Linux users face the highest risk and should patch immediately.
The wave of Linux local privilege escalation vulnerabilities showing up with working exploit code is not slowing down. The latest is PinTheft, discovered by the V12 security team, which affects the Linux kernel’s RDS (Reliable Datagram Sockets) subsystem and already has a public proof-of-concept available. No CVE has been assigned yet, but a patch landed earlier this month.
“PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers.” reads the advisory. “The bug lived in the RDS zerocopy send path. rds_message_zcopy_from_user() pins user pages one at a time. If a later page faults, the error path drops the pages it already pinned, and later RDS message cleanup drops them again because the scatterlist entries and entry count remain live after the zcopy notifier is cleared. Each failed zerocopy send can steal one reference from the first page.”
The vulnerability stems from how the kernel handles page references when a zerocopy send operation fails partway through.
A double-free flaw lets attackers gradually steal memory references until they can overwrite the page cache and gain root access. The exploit uses a technique similar to recent Linux LPE bugs like Dirty Frag, Fragnesia, and Copy Fail.
The attack surface here is significantly narrower than some of the other recent LPEs, and that is worth being precise about. PinTheft requires the RDS kernel module to be loaded, io_uring to be enabled, a readable SUID-root binary on the system, and x86_64 architecture for the included payload to work. The experts believe that the combination of conditions, limits exploitation considerably.
The RDS module is the key constraint. As V12 put it in their advisory.
“Sadly, the RDS kernel module this requires is only default on Arch Linux among the common distributions we tested.” continues the advisory.
Ubuntu, Fedora, Debian, and most enterprise Linux distributions do not load RDS by default, which means they are not immediately exposed. Arch Linux users with default kernel configurations are the primary population at risk right now.
Security researcher Will Dormann independently confirmed the exploit works as described on Arch Linux systems.
The kernel fix is already available, anyone running Arch Linux should update to the latest kernel package immediately. That is the clean solution and there is no good reason to delay it.
For situations where an immediate kernel update is genuinely not possible, V12 has provided a quick mitigation that unloads the RDS modules and prevents them from being reloaded:
rmmod rds_tcp rds
printf 'install rds /bin/false\ninstall rds_tcp /bin/false\n' > /etc/modprobe.d/pintheft.conf
This blocks the attack path without requiring a reboot or a kernel update, and it is a reasonable stopgap for systems that need more time before a maintenance window.
PinTheft is arriving at an uncomfortable moment for Linux security. The cluster of page cache write vulnerabilities, Copy Fail, Dirty Frag, Fragnesia, and DirtyDecrypt, has dominated the conversation for weeks, and the situation moved from theoretical to actively exploited when CISA added Copy Fail to its Known Exploited Vulnerabilities catalog on May 1, ordering federal agencies to patch within two weeks. Real attackers are now using at least one of these techniques in the wild.
Whether that reflects a genuine surge in research focus on this area or a broader shift in how these bugs are being discovered and disclosed is an open question, but the operational result is the same: Linux administrators are dealing with a steadily growing list of patching priorities, some of them with working public exploits already attached.
Arch Linux users should patch immediately or disable the RDS modules, as the conditions needed to exploit PinTheft exist by default.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Linux)
