A recently patched Linux privilege escalation vulnerability now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems.
The vulnerability, named PinTheft by the V12 security team and still waiting to be assigned a CVE ID for easier tracking, exists in the Linux kernel’s RDS (Reliable Datagram Sockets) and was patched earlier this month.
“PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers,” V12 said in a Tuesday advisory.
“The bug lived in the RDS zerocopy send path. rds_message_zcopy_from_user() pins user pages one at a time. If a later page faults, the error path drops the pages it already pinned, and later RDS message cleanup drops them again because the scatterlist entries and entry count remain live after the zcopy notifier is cleared. Each failed zerocopy send can steal one reference from the first page.”
V12 also released a PoC exploit that steals FOLL_PIN references until io_uring is left holding a stolen page pointer, allowing it to obtain a root shell.
However, in addition to having the RDS module loaded on the target system, PinTheft also requires specific conditions for successful exploitation, including the io_uring Linux I/O API being enabled, a readable SUID-root binary, and x86_64 support for the included payload.
This drastically limits the attack surface, with V12 stating that the RDS module is enabled by default only on Arch Linux out of the most common Linux distros.
“Sadly, the RDS kernel module this requires is only default on Arch Linux among the common distributions we tested,” V12 added.
Linux users on affected distros are advised to install the latest kernel updates as soon as possible.
However, those who can’t immediately patch their devices can also use the following mitigation to block exploitation attempts:
rmmod rds_tcp rds
printf 'install rds /bin/false\ninstall rds_tcp /bin/false\n' > /etc/modprobe.d/pintheft.conf
This comes after a wave of other Linux local privilege escalation (LPE) vulnerabilities were disclosed over the past several weeks, some of which were zero-days with no security patches available.
Over the weekend, security researchers released PoC exploits targeting another recently patched Linux LPE (tracked as DirtyDecrypt and DirtyCBC), which belongs to the same vulnerability class as several other root-escalation flaws, including Dirty Frag, Fragnesia, and Copy Fail.
These disclosures also follow reports that threat actors have started actively exploiting the Copy Fail vulnerability in attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has added Copy Fail to its list of flaws exploited in attacks on May 1 and ordered government agencies to secure their Linux systems within two weeks.
Last month, Linux distros also rolled out security patches for a root-privilege escalation vulnerability (named Pack2TheRoot and found in the PackageKit daemon) that had gone unnoticed for more than a decade.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
