A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept test that allows a local user to climb root on Arch Linux systems with specific conditions met. Although the error was already corrected in the kernel, the availability of the PoC makes the risk real for unpatched or poorly configured machines.
Vulnerability lies in the zerocopy shipping path of the RDS subsystem (Reliable Datagram Sockets). In general terms, the function that "pinnea" user pages may lose references when a mid-operation exception occurs; that double released (double-free) combined with interaction with fixed io _ uring buffers can end in an overwriting of the cache of pages and, finally, in memory control capable of achieving a shell with high privileges. V12 explains the technical vector and published the code in its repository, which makes it easier for defenders to understand the exploitation and, unfortunately, for attackers to recreate it: explanation and PoC of V12.
It is important to stress that the holding is not trivial. It requires that the RDS module be loaded, that io _ uring is available in the kernel, the presence of a readable SUID-binary and the x86 _ 64 architecture for the included payload, which significantly reduces the attack surface. V12 points out that, among the common distributions tested, the RDS module is only activated by default on Arch Linux, so the peculiarity of the default configuration increases the risk in that particular distribution.
The patch that corrects the failure was already sent to the kernel tree; administrators and users should prioritize the kernel update to available versions containing that correction. The original patch is available to check which lines were modified and confirm the inclusion in kernel versions in: patch detail at lore.kernel.org. Apply the patch or update to the kernel version distributed by its disc is the final measure.
For systems that cannot be patched immediately, there is a practical mitigation: download the RDS module and block its future load by creating a file in / etc / modprobe.d / that prevents its insertion. An effective example is to run rmmod rds _ tcp rds and write in / etc / modprobe.d / pinheft.conf lines install rds / bin / false and install rds _ tcp / bin / false. This intervention prevents the use of the RDS vector, although it must be evaluated because it can disable network functionalities that depend on the module.
Beyond the patch and technical mitigation, the repeated emergence of local climbing errors in the kernel and public publication of PoC highlight a practical lesson: reduce exposure of the attack surface. This includes reviewing and minimizing SUID binaries, disabling unnecessary kernel modules, controlling system security parameters (e.g. seccomp and grsecurity policies when available) and applying least privileged principles in multiuser environments and cloud servers.
Organizations must also integrate detection and response: leaving traces of exploitative attempts can make the difference between a contained incident and an escalation. Reviewing kernel logs, audits of access and alerts related to io _ uring, unusual load of modules or process abortions can help detect suspicious activity. For context on the global threat and other climbing vulnerabilities that are attracting attention, the CISA Agency maintains warnings and catalogues of vulnerabilities exploited in the wild; see its statement related to the recent wave of LPES: notice from CISA.
Finally, in view of the publication of PoC and the speed with which the same type of failure has been revealed (DirtyDecrypt, DirtyCBC, Copy Fail, among others), my recommendation for advanced administrators and users is to prioritize proactive maintenance: update kernel and distribution security patches, audit and minimize SUID modules and binaries, and apply temporary mitigation when it is not possible to park immediately. Technical transparency of the patch and PoC facilitates defense, but also reduces grace time; early action is key.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...