PoC Exploit Code Publicly Released: New “PinTheft” Linux Flaw Overwrites Page Cache for Instant Root
Do Son 
A newly detailed vulnerability known as “PinTheft” is giving Linux system administrators serious pause. Discovered by Aaron Esau of the V12 security team, this exploit leverages a complex interaction between the Reliable Datagram Sockets (RDS) protocol and the io_uring subsystem to achieve devastating local privilege escalation.
While the required modules are not enabled by default across all major Linux distributions, where they are present, PinTheft allows a standard user to overwrite sensitive page-cache memory and instantly drop into a root shell. Because multiple teams independently discovered the bug and a patch is now available, the V12 team has officially published their Proof-of-Concept (PoC).
The core vulnerability resides deep within the RDS zerocopy send path.
According to the V12 report, the function rds_message_zcopy_from_user() is designed to pin user pages into memory one at a time. However, a critical logic error occurs when a subsequent page faults. As the researchers explain, “If a later page faults, the error path drops the pages it already pinned, and later RDS message cleanup drops them again because the scatterlist entries and entry count remain live after the zcopy notifier is cleared.”
This creates a dangerous “double-free” scenario regarding the page references. Because of this repeated dropping action, the V12 team realized that “Each failed zerocopy send can steal one reference from the first page.”
Stealing memory references is a neat trick, but weaponizing it requires a mechanism to hold onto a memory page while its reference counts are artificially drained. This is where io_uring, the asynchronous I/O framework for Linux, comes into play.
Here is the exact step-by-step breakdown of the PinTheft attack as outlined by the V12 team:
- Target Selection: The exploit first hunts for a readable, highly privileged SUID-root binary on the system. It specifically targets critical system files like /usr/bin/su, /usr/bin/mount, or /usr/bin/passwd.
- Fixed-Buffer Registration: The attacker registers an anonymous memory page as an io_uring fixed buffer. Crucially, giving the page this status assigns it a FOLL_PIN bias of 1024 references.
- Reference Theft: The exploit intentionally executes 1024 failing RDS zerocopy sends. Because of the double-free bug mentioned earlier, each failure silently steals one of the FOLL_PIN references. Eventually, the reference count hits zero, freeing the page back to the system, but io_uring is left holding a “stolen,” dangling pointer to it.
- Page-Cache Reclaim: The exploit immediately reads the target SUID binary. This action forces the system’s page-cache allocation to reuse the exact page that was just freed. The stale io_uring pointer now points directly at the live page-cache data for the root binary.
- The Overwrite: Using a dangling fixed-buffer write (IORING_OP_READ_FIXED), the exploit funnels a small malicious ELF payload directly into the cached memory of the SUID binary.
- Execution: The attacker simply executes the compromised SUID binary. Because the underlying cached code has been replaced by the payload, the exploit “drops into a root shell.”
The exploit is notoriously named “PinTheft” precisely “Because the exploit steals FOLL_PIN references until io_uring is left holding a stolen page pointer.”
While the exploit technique is highly sophisticated and architecture-independent, its real-world impact is fortunately somewhat limited by default module configurations. The V12 team notes, “Sadly, the RDS kernel module this requires is only default on Arch Linux among the common distributions we tested.”
However, any system where the RDS module has been manually loaded, or where module autoloading is permitted and the rds_tcp module exists, is highly vulnerable.
For administrators who do not require the RDS protocol, the simplest and most effective mitigation strategy is to completely block the modules from loading into the kernel.
The V12 report recommends implementing the following blocklist commands:
Furthermore, security teams testing the PoC are issued a strict cleanup warning: the exploit overwrites in-memory page-cache. If a machine is left in this state, anyone executing common SUID programs like su or passwd will inadvertently trigger the payload. System administrators must flush the cache or reboot test machines immediately after experimentation.
Update:
This vulnerability is tracked as CVE-2026-43494.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
