A working proof-of-concept exploit for a new Linux kernel privilege escalation bug called PinTheft went public this week, adding another name to a growing list of kernel-level root escalations that have shaken the Linux security community throughout early 2026.
Discovered by Aaron Esau of the V12 security team, PinTheft allows a local attacker to gain root access by exploiting an RDS (Reliable Datagram Sockets) zerocopy double-free bug. A kernel patch is already available — V12 released their PoC only after confirming independent discovery by other teams and verifying the fix landed upstream.
What Makes This One Different
The bug itself lives in a corner of the kernel most people rarely think about: the RDS zerocopy send path, specifically in rds_message_zcopy_from_user(), which pins user memory pages into kernel space one at a time. If a later page triggers a fault, the error path drops the already-pinned pages — but later RDS message cleanup drops them a second time, because the scatterlist bookkeeping stays live even after the zcopy notifier is cleared. Each failed zerocopy send steals exactly one memory reference from the first page.
On its own, a reference count bug like this is difficult to turn into a useful primitive. PinTheft's real cleverness is what it does next.
To weaponize the reference count bug, the exploit leverages io_uring. The attacker registers an anonymous memory page as an io_uring fixed buffer, assigning it a FOLL_PIN bias of 1024 references — then systematically drains those references through 1024 deliberately failing RDS sends, until io_uring is left holding a pointer to a page it no longer legitimately owns.
From there, the exploit evicts the target SUID binary's first page from cache, reclaims that same physical page, and uses io_uring's now-dangling buffer pointer to overwrite the page cache of a privileged binary — /usr/bin/su, passwd, or pkexec are preferred targets — with a small custom ELF payload. Run the binary, get a root shell.
Who's Actually at Risk
Beyond having the RDS module loaded, PinTheft also requires io_uring to be enabled, a readable SUID-root binary to be present, and an x86_64 system. The required RDS module is only default on Arch Linux among common distributions tested — other major distributions do not load it out of the box.
That limits the immediate blast radius. But the conditions aren't exotic on systems where administrators have enabled RDS for workloads that use it, or on containers and CI runners where kernel modules may be more permissive.
A Pattern That Isn't Slowing Down
PinTheft follows a wave of other Linux local privilege escalation vulnerabilities disclosed over the past several weeks — DirtyDecrypt, DirtyCBC, Dirty Frag, Fragnesia, and CopyFail — all belonging to the same broad vulnerability class of page-cache overwrite exploits. Threat actors have already begun actively exploiting CopyFail in the wild. Each new PoC in this series raises the question of how many similar bugs remain undiscovered in the kernel's networking and asynchronous I/O subsystems.
What to Do Now
The straightforward mitigation is to remove RDS entirely if nothing on your system actually needs it:
rmmod rds_tcp rds printf 'install rds /bin/false\ninstall rds_tcp /bin/false\n' > /etc/modprobe.d/pintheft.conf
Apply your distribution's kernel update as soon as it incorporates the upstream patch. If you're running Arch Linux, that should be your first call this week. For everyone else: check whether CONFIG_RDS is enabled in your running kernel before assuming you're clear.
The V12 team also warns that the exploit temporarily corrupts the target SUID binary's page cache in memory. Before running on any test system, the PoC backs up the target binary and prints a restore command — but don't skip the reboot on anything that matters.