Imagine running a routine system update on your Arch Linux machine, only to discover later that a local attacker could have gained full root access through a newly published exploit. That scenario became a real possibility when the V12 security team released a proof-of-concept exploit for a vulnerability they named PinTheft.
Understanding PinTheft and the RDS Vulnerability
PinTheft lives in a specific kernel function: rds_message_zcopy_from_user(). This function handles zero-copy sends over the RDS protocol. The bug arises when the kernel pins user pages one at a time but fails to clean up properly after a fault during pinning. Each failed zero-copy send steals one reference from the first page, slowly leaking references until the exploit gains control.
The V12 team turned this memory corruption into a page-cache overwrite using io_uring fixed buffers. By manipulating the page references, the exploit tricks io_uring into holding a stolen page pointer. From there, the attacker can write arbitrary kernel memory and ultimately spawn a root shell. The vulnerability was patched earlier this month, though it still lacks a CVE ID.
Why Arch Linux Is Uniquely Exposed
Among major Linux distributions, only Arch Linux enables the RDS kernel module by default. That single decision drastically alters the risk profile for Arch users. While the exploit requires several other conditions — which we’ll cover below — the presence of the RDS module is the primary gateway. If you run Fedora, Ubuntu, or Debian, the RDS module is typically disabled out of the box, making PinTheft ineffective without manual intervention.
The Technical Core: A Double-Free in rds_message_zcopy_from_user()
During a zero-copy send, the kernel pins user pages one at a time. If a later pinning operation fails (for example, because the user page is swapped out), the error path drops the pages already pinned. However, the scatterlist entries and entry count remain live after the zero-copy notifier is cleared. Later, when RDS message cleanup runs, it drops those same pages again — a classic double-free. Each cycle steals exactly one reference from the first pinned page. The exploit repeats this process until it has accumulated enough stolen references to manipulate the page cache via io_uring.
Exploitation Requirements and the Real Attack Surface
Despite the severity of the bug, successfully running the pintheft arch exploit is far from trivial. The V12 advisory lists four essential conditions:
- RDS kernel module loaded — This is automatically true on Arch Linux, but rarely on other distributions.
- io_uring enabled — The io_uring subsystem is available on modern kernels (5.1+), but some security-conscious setups may disable it via kernel boot parameters.
- A readable SUID-root binary — The exploit uses a set-user-ID-root binary to adjust the process credentials during the attack. Any such binary (e.g.,
/bin/suor/usr/bin/passwd) will work, as long as it exists and is readable. - x86_64 architecture — The payload in the proof-of-concept is compiled for the x86_64 AMD64/Intel 64-bit instruction set.
These restrictions narrow the pool of vulnerable systems considerably. Still, for anyone running a default installation of Arch Linux on a modern 64-bit machine, all requirements are met. A local attacker — perhaps a fellow user on a shared system, a malicious employee, or someone who gains SSH access through another vulnerability — can exploit PinTheft to take complete control.
Why the Attack Surface Is Still Concerning
Even though PinTheft requires local access, the reality is that shared Linux environments exist everywhere: university labs, cloud instances with multiple tenants, developer workstations, and Docker containers (though container breakout would require additional steps). The existence of a public exploit eliminates the need for an attacker to write their own code, lowering the skill barrier.
How to Check If Your System Is Vulnerable
Before panicking, you can verify whether your Arch Linux installation is exposed. Follow these steps:
Check the RDS Module Status
Run the following command in a terminal:
lsmod | grep rds
If the output shows rds or rds_tcp, the module is loaded. On a default Arch Linux system, you should see at least rds. If the module is not loaded, you are not vulnerable — but be aware that a script or another process could load it later if an attacker has sufficient privileges.
Confirm io_uring Availability
io_uring is typically enabled in Arch’s default kernel. You can check by looking in the kernel configuration file:
zgrep CONFIG_IO_URING /proc/config.gz
If the output is CONFIG_IO_URING=y, it is built into the kernel. If it shows =m, it is a module and may be loaded. If nothing appears, io_uring is disabled. Another quick test is to try using the io_uring related syscalls (you can install the liburing package and run a simple test program).
Check for a SUID-Root Binary
Most Unix systems have at least one SUID-root binary. You can list them with:
find / -perm -4000 -user root -type f 2>/dev/null | head -5
If you see any output, the condition is met.
Determine Your Kernel Version
Run:
uname -r
Compare the version with the patched kernel release for Arch. As of mid-May 2025, the fix has been included in the latest stable kernel (you can check the Arch Linux package page or run pacman -Sy linux and check if there is an update).
Immediate Mitigation Steps
If you cannot apply a full kernel update right now, you can block the exploit by removing the RDS module and preventing it from being loaded again. This is a temporary but effective workaround.
Unload the RDS Module
Open a terminal with root privileges (or use sudo) and run:
rmmod rds_tcp; rmmod rds
Note the order — rds_tcp depends on rds, so you must unload rds_tcp first. After this, check that the module is gone:
You may also enjoy reading: 5 Rivian R2 Variants More Than Just an SUV.
lsmod | grep rds
It should return nothing.
Blacklist the Module Permanently
Create a configuration file that tells modprobe never to load the RDS module. As root:
printf 'install rds /bin/false\ninstall rds_tcp /bin/false\n' > /etc/modprobe.d/pintheft.conf
This ensures that even if a script or another process tries to load the module, the command fails silently.
Apply Kernel Updates
The definitive fix is to upgrade your kernel. On Arch Linux:
pacman -Syu linux
Reboot afterward to load the patched kernel. The vulnerability was patched in a commit applied earlier this month (May 2025) — any kernel version released after that commit is safe.
The Bigger Picture: Recent Linux LPE Vulnerabilities
PinTheft joins a growing list of local privilege escalation flaws discovered in recent months. Over the past several weeks, security researchers have published exploits for DirtyDecrypt, DirtyCBC, Dirty Frag, Fragnesia, and Copy Fail — all targeting different kernel subsystems. Some of these were zero-days with no patches available at disclosure time.
Copy Fail Active Exploitation
On May 1, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its catalog of flaws exploited in the wild. The agency ordered federal government agencies to patch their Linux systems within two weeks. While Copy Fail is a separate vulnerability from PinTheft, the active exploitation underscores how valuable Linux kernel weaknesses are to threat actors.
Last month, Linux distributions also patched a root-privilege escalation vulnerability in the PackageKit daemon, called Pack2TheRoot, which had remained undetected for over a decade.
Frequently Asked Questions About the PinTheft Exploit
What if my system has the RDS module loaded but I haven’t applied the patch yet?
You are currently vulnerable to the pintheft arch exploit if all other conditions (io_uring, SUID binary, x86_64) are met. Until you either patch the kernel or remove the module, any local user can attempt the exploit. The PoC code is publicly available, so expect it to be incorporated into penetration testing tools and possibly malicious scripts. Act now — remove the module as described above.
How do I check if io_uring is enabled on my Linux kernel?
Use the config file query method: zgrep CONFIG_IO_URING /proc/config.gz. If you see CONFIG_IO_URING=y, io_uring is built-in. If it’s missing, the kernel lacks support. Another method: run cat /sys/kernel/io_uring/features; if the file doesn’t exist, the feature may not be enabled. Most standard Arch kernels include io_uring.
Why does the PinTheft exploit require a readable SUID-root binary?
The exploit uses the SUID-root binary to obtain a process with elevated privileges that it can then leverage during the page-cache overwrite. Specifically, it needs to inherit the root capabilities while performing certain operations that require higher permissions. The exploit does not need to actually run the binary; it only needs to hold a file descriptor to it. Any readable SUID-root file works.
Is there a way to block the exploit without unloading RDS modules?
If you cannot unload the module for some reason (e.g., an application requires it), you could disable io_uring by adding the kernel boot parameter io_uring_disabled=1 to your boot loader configuration. However, this may break applications that rely on io_uring. Similarly, you could remove the CONFIG_IO_URING support by recompiling your kernel, but that is impractical for most users. The simplest and most reliable mitigation is to unload RDS and blacklist it.
Will the PinTheft vulnerability receive a CVE ID eventually?
As of this writing, no CVE has been assigned. The V12 team stated the bug was patched before disclosure, and CVE assignment sometimes lags behind. It is possible that a CVE will be assigned in the coming weeks. Even without one, the community widely recognizes the flaw under the name PinTheft.
Final Recommendations
If you run Arch Linux — especially on a system accessible by multiple users — treating the pintheft arch exploit seriously is wise. Apply the kernel update, or at minimum unload the RDS module and blacklist it. Consider also monitoring for the CVE assignment and staying informed about other recent LPE vulnerabilities. A shared system is only as secure as its weakest kernel component, and PinTheft has shown that even a single default module can open a door to root compromise.
