### PinTheft: RDS Zerocopy Double-Free The vulnerability, named **PinTheft** by the **V12** security team (still awaiting a **CVE** ID), resides in the Linux kernel's **RDS** (Reliable Datagram Sockets) implementation. The flaw, a zerocopy double-free, was addressed with a patch earlier this month. "PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers," **V12** stated in their advisory. The vulnerability stems from the `rds_message_zcopy_from_user()` function, which pins user pages individually. If a subsequent page fault occurs, the error path improperly releases already pinned pages. Later, during RDS message cleanup, these pages are released again, leading to the double-free condition. ### PoC Exploit and Requirements **V12** has released a PoC exploit that leverages the double-free to steal `FOLL_PIN` references. This ultimately allows **io_uring** to hold a stolen page pointer, granting a root shell. However, successful exploitation requires specific conditions: * The **RDS** module must be loaded. * The **io_uring** Linux I/O API must be enabled. * A readable SUID-root binary must be present. * x86_64 architecture is required for the included payload. These requirements significantly narrow the attack surface. **V12** notes that the **RDS** module is enabled by default only on **Arch Linux** among common distributions. ### Mitigation Users on affected distributions are advised to apply the latest kernel updates promptly. As an immediate mitigation, the following commands can be used to prevent exploitation: rmmod rds_tcp rds printf 'install rds /bin/false\ninstall rds_tcp /bin/false\n' > /etc/modprobe.d/pintheft.conf ### Recent LPE Vulnerabilities This disclosure follows a series of recently uncovered Linux local privilege escalation (LPE) vulnerabilities. Researchers have also released PoC exploits for the **DirtyDecrypt** and **DirtyCBC** vulnerabilities. These belong to the same vulnerability class as other root-escalation flaws, including **Dirty Frag**, **Fragnesia**, and **Copy Fail**. It has also been reported that threat actors have begun actively exploiting the **Copy Fail** vulnerability in the wild. The **Cybersecurity and Infrastructure Security Agency (CISA)** has added **Copy Fail** to its list of known exploited vulnerabilities and mandated government agencies to patch their Linux systems. Last month, Linux distributions issued patches for **Pack2TheRoot**, a root-privilege escalation vulnerability in the **PackageKit** daemon that remained undetected for over a decade.  ## The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)