A working exploit for a Linux kernel double-free vulnerability is now public — and Arch Linux is the only major distribution where the affected module is loaded by default, making unpatched developer workstations and custom servers the primary risk surface.
PinTheft PoC Published by V12 Security Team After Kernel Patch Delayed Full Remediation
The V12 security team publicly released a working proof-of-concept exploit for PinTheft, an unassigned-CVE vulnerability in the Linux kernel’s RDS (Reliable Datagram Sockets) zerocopy functionality. The release on May 20 came 15 days after a kernel patch was issued on May 5, 2026, creating a narrowed but still-open exploitation window for any Arch Linux system that has not yet applied the patch.
PinTheft enables any local user to escalate privileges to root. Because no CVE has been formally assigned, administrators relying on CVE-based patch notification pipelines may not have been alerted to the vulnerability’s existence before the PoC was published.
Technical Mechanism: Double-Free in rds_message_zcopy_from_user
The vulnerability originates in a double-free condition within rds_message_zcopy_from_user(). When an error occurs during a zerocopy RDS send, the error path drops already-pinned memory pages. The normal RDS message cleanup path then drops those same pages a second time, producing a double-free in kernel memory.
Combined with io_uring fixed buffers, an attacker can convert this double-free into page-cache corruption, then leverage that corruption to gain root privileges. The full exploit chain requires four conditions to be met simultaneously: the RDS module must be loaded, io_uring must be enabled, a readable SUID-root binary must exist on the system, and the architecture must be x86_64.
Why Arch Linux Is the Primary Risk Surface
On Arch Linux, the RDS module loads by default — a configuration choice that does not apply to Ubuntu, Debian, Fedora, or most other major distributions. On those systems, the RDS module is not loaded by default, which means PinTheft’s attack prerequisites are not met without deliberate configuration changes. The practical exploitation risk from a default install is therefore concentrated on Arch.
Arch Linux is used disproportionately in developer environments, research workstations, and custom server deployments. These are environments where local user access is common — developers log in directly, share workstations, or operate multi-user development servers — which means the “local user” prerequisite for PinTheft is frequently satisfied in practice.
The public availability of a working PoC dramatically changes the exploitation timeline. Previously, an attacker would need to develop their own exploit from the vulnerability description — a technically demanding task. With the V12 team’s PoC published, any attacker with local access to an unpatched Arch system can now directly weaponize the code without independent exploit development.
Patch Status and Remediation Path
A kernel patch addressing the double-free condition was released on May 5, 2026. Arch Linux users running a pre-patch kernel version remain exposed. The remediation path is a kernel update; as a temporary mitigation, unloading the RDS module (rmmod rds) removes the attack surface on systems where RDS functionality is not required.
Systems operators who have not applied the May 5 patch should treat the PoC publication date — May 20 — as the effective exploitation risk date, not the original vulnerability disclosure. The gap between patch availability and PoC publication offered a 15-day remediation window; that window has closed for any system still running the unpatched kernel.
