← All articles

PinTheft Arch Linux LPE: RDS zerocopy double-free turned into io_uring page-cache overwrite, PoC released

The V12 security team has released a working PoC for PinTheft, a Linux kernel local privilege escalation tied to a double-free in the RDS (Reliable Datagram Sockets) zerocopy send path that can be turned into a page-cache overwrite through io_uring fixed buffers. The bug was patched earlier in May but has no assigned CVE yet. Exploitation requires the RDS module to be loaded - default only on Arch Linux among the major distributions - plus io_uring enabled and a readable SUID-root binary. PinTheft joins DirtyDecrypt, Dirty Frag, Fragnesia, and Copy Fail in a recent run of Linux LPE disclosures.

Check
Inventory Arch Linux hosts with `pacman -Q linux`. Check if RDS is loaded via `lsmod | grep rds`. Look for unexpected root shells from low-privilege users in audit logs since 2026-05-20.
Affected
Linux kernels with the RDS module enabled (default only on Arch Linux among common distros) plus io_uring enabled and a readable SUID-root binary. PoC tested on x86_64.
Fix
Apply the latest Arch Linux kernel update. Temporary mitigation: `rmmod rds_tcp rds` and blacklist via /etc/modprobe.d/pintheft.conf. Audit io_uring usage and consider raising its sysctl restrictions.