PinTheft
A double-free in the Linux kernel's RDS zerocopy send path allows an unprivileged local attacker to corrupt page reference counts and, combined with io_uring fixed buffers, overwrite SUID binaries in the page cache to gain root.
Details
- Write-up
- https://github.com/v12-security/pocs/tree/main/pintheft
- Author
- V12
- Introduced
- 0cebaccef3ac
- Patch
- e17492979319
The patch has not been included in a stable kernel release yet. Some distributions might have already backported it.
Timeline
Mitigation
Blacklist the rds and rds_tcp modules
This has no impact on systems not using AFS or RDS-based applications.
printf 'install rds /bin/false
install rds_tcp /bin/false
' > /etc/modprobe.d/pintheft.conf
rmmod rds_tcp rds 2>/dev/nullSources
- https://www.openwall.com/lists/oss-security/2026/05/19/6
- https://lore.kernel.org/netdev/20260505234336.2132721-1-achender@kernel.org/