Cybersecurity Announcement: Linux Kernel Privilege Escalation to Root Vulnerability - PinTheft

This document is the cybersecurity announcement for Linux PinTheft LPE vulnerability.

About the Event

PinTheft is a variant of CopyFail / DirtyFrag / Fragnesia. It was discovered on May 19, by Aaron Esau of the V12 Security Team. There is no CVE assigned yet.

Actions to Consider

This attack is similar to Copy-Fail as it is a consistent Local Privilege Escalation (LPE), no race condition is necessary. Cybersecurity recommends Linux administrators evaluate their risks and follow mitigation instructions included in the articles linked in the References section. Currently, there are no vendor-provided patches to remediate this vulnerability.

If you believe you may have been compromised please contact the Office of Cybersecurity at cybersecurity@cio.wisc.edu.

Event Impact

Any local unprivileged user would be able to obtain root-level access resulting in a full system takeover. Proof of concept code is already publicly available. The RDS kernel module this requires is only default on Arch Linux among the common distributions that have been tested so far.

References

https://github.com/v12-security/pocs/tree/09e835b587bf71249775654061ae4c79e92cf430/pintheft

https://www.openwall.com/lists/oss-security/2026/05/19/6

Keywords:

copy fail copyfail vulnerabilities pintheft Linux LPE pin theft

Doc ID:

161416

Owned by:

Jamie G. in Cybersecurity Testing and Cyber Defense

Created:

2026-05-19

Updated:

2026-05-19

Sites:

Cybersecurity Testing and Cyber Defense, Cybersecurity Vulnerablity Management

0 0 Comment Suggest new doc