A local privilege escalation (LPE) security vulnerability in the Linux kernel, codename “PinTheft,” was publicly disclosed on May 19, 2026. The vulnerability was fixed in the mainline Linux kernel tree. A proof-of-concept exploit was published along with public disclosure. The vulnerability does not have a CVE ID assigned at the moment; other discovering teams may have given this issue other names. Ubuntu installations are only impacted if they use RDS (Reliable Datagram Sockets), a protocol generally used for high-performance computing (HPC).   The default Ubuntu configuration disables the automatic loading of the module affected by this vulnerability.

The vulnerability is a reference count bug that allows poisoning the page cache with malicious contents, similar to Copy Fail (CVE-2026-31431) or Dirty COW (CVE-2016-5195).

The vulnerability does not have a CVSS score assigned yet. Canonical assesses the vulnerability to have a CVSS 3.1 score of 7.8, corresponding to a High severity. The Ubuntu Priority assigned is Medium, the local privilege escalation to root from unprivileged users is balanced against the default configuration of Ubuntu being safe against this issue. Ubuntu uses a /etc/modprobe.d/blacklist-rare-network.conf configuration file that disables rarely used network protocols, including the affected RDS.

Impact

The vulnerability allows an attacker to replace the in-memory contents of arbitrary files. The disk contents are not affected, but programs that read a file, make changes, and write the data back may make the changes persistent.

The published proof of concept exploit rewrites a setuid executable with a very short program that grants root privileges to an unprivileged local user with very high reliability.

 The impact of the vulnerability is unclear in containerized environments. It’s possible that an attacker in a container cannot use this to escape the container themselves, but could corrupt data for other containers or the main host, and if the raw storage for files is shared, could choose their targets.

Affected releases

The default configuration of all Ubuntu releases is not affected, either because the relevant kernels do not have the issue, or because the issue is mitigated in the shipped configuration.

Ubuntu kernel images for 16.04 LTS and earlier do not have the issue.

Ubuntu kernel images on Focal Fossa (20.04 LTS) and later are affected. Ubuntu Bionic Beaver (18.04 LTS) only has the vulnerable code on the HWE kernel versions (5.4).

In Ubuntu, the vulnerability fix will be distributed through the Linux kernel image packages. Until the Linux kernel security update is available, the default Ubuntu configuration is not affected because it disables the vulnerable kernel module from automatically loading. This default mitigation impacts programs that use RDS networking. Users that need this functionality would have to explicitly load the rds module, a configuration that would allow this vulnerability to be exploited.

How to check if you are impacted

Confirm that the rds module is not currently loaded:

lsmod | grep -qE '^rds ' && echo "Module is loaded (vulnerable)" || echo "Module is NOT loaded"

Ensure that the automatic loading of the module is disabled:

grep -rqE '^alias net-pf-21 off' /etc/modprobe.d/ && echo "Automatic loading disabled (NOT vulnerable)" || echo "Automatic loading possible (vulnerable)"

Ensure that the module is not loaded at boot time:

grep -rqE '^rds' /etc/modules-load.d/ /usr/lib/modules-load.d/ && echo "Module is loaded at boot time (vulnerable)" || echo "Module is not loaded at boot time (NOT vulnerable)"

Manual mitigation

No manual mitigation is necessary on default Ubuntu systems. If you previously enabled RDS on your systems, you may disable it from automatically loading again via:

rmmod rds
echo "alias net-pf-21 off" | sudo tee /etc/modprobe.d/blacklist-rds.conf

Disabling the mitigation

Once kernel updates are available and installed, the mitigation can be removed if you must run RDS applications:

sudo rm /etc/modprobe.d/blacklist-rds.conf

We recommend that you do not disable this mitigation unless you must run RDS.