PinTheft

unreleased

A double-free in the Linux kernel's RDS zerocopy send path allows an unprivileged local attacker to corrupt page reference counts and, combined with io_uring fixed buffers, overwrite SUID binaries in the page cache to gain root.

Details

Write-up
https://github.com/v12-security/pocs/tree/main/pintheft
Author
V12
Introduced
0cebaccef3ac
Patch
e17492979319
The patch has not been included in a stable kernel release yet. Some distributions might have already backported it.

Timeline

  1. Fix posted to netdev mailing list[2]
  2. Public disclosure and PoC published[1]

Mitigation

Blacklist the rds and rds_tcp modules

This has no impact on systems not using AFS or RDS-based applications.

printf 'install rds /bin/false
install rds_tcp /bin/false
' > /etc/modprobe.d/pintheft.conf
rmmod rds_tcp rds 2>/dev/null

Sources

  1. https://www.openwall.com/lists/oss-security/2026/05/19/6
  2. https://lore.kernel.org/netdev/20260505234336.2132721-1-achender@kernel.org/

History