A local privilege escalation (LPE) security vulnerability in the Linux kernel, codename “PinTheft,” was publicly disclosed on May 19, 2026. The vulnerability was fixed in the mainline Linux kernel tree. A proof-of-concept exploit was published along with public disclosure. The vulnerability does not have a CVE ID assigned at the moment; other discovering teams may have given this issue other names. Ubuntu installations are only impacted if they use RDS (Reliable Datagram Sockets), a protocol generally used for high-performance computing (HPC). The default Ubuntu configuration disables the automatic loading of the module affected by this vulnerability.
The vulnerability is a reference count bug that allows poisoning the page cache with malicious contents, similar to Copy Fail (CVE-2026-31431) or Dirty COW (CVE-2016-5195).
The vulnerability does not have a CVSS score assigned yet. Canonical assesses the vulnerability to have a CVSS 3.1 score of 7.8, corresponding to a High severity. The Ubuntu Priority assigned is Medium, the local privilege escalation to root from unprivileged users is balanced against the default configuration of Ubuntu being safe against this issue. Ubuntu uses a /etc/modprobe.d/blacklist-rare-network.conf configuration file that disables rarely used network protocols, including the affected RDS.
The vulnerability allows an attacker to replace the in-memory contents of arbitrary files. The disk contents are not affected, but programs that read a file, make changes, and write the data back may make the changes persistent.
The published proof of concept exploit rewrites a setuid executable with a very short program that grants root privileges to an unprivileged local user with very high reliability.
The impact of the vulnerability is unclear in containerized environments. It’s possible that an attacker in a container cannot use this to escape the container themselves, but could corrupt data for other containers or the main host, and if the raw storage for files is shared, could choose their targets.
The default configuration of all Ubuntu releases is not affected, either because the relevant kernels do not have the issue, or because the issue is mitigated in the shipped configuration.
Ubuntu kernel images for 16.04 LTS and earlier do not have the issue.
Ubuntu kernel images on Focal Fossa (20.04 LTS) and later are affected. Ubuntu Bionic Beaver (18.04 LTS) only has the vulnerable code on the HWE kernel versions (5.4).
In Ubuntu, the vulnerability fix will be distributed through the Linux kernel image packages. Until the Linux kernel security update is available, the default Ubuntu configuration is not affected because it disables the vulnerable kernel module from automatically loading. This default mitigation impacts programs that use RDS networking. Users that need this functionality would have to explicitly load the rds module, a configuration that would allow this vulnerability to be exploited.
| Release | Package Name | Fixed Version |
| Trusty Tahr (14.04 LTS) | linux | Not affected |
| Xenial Xerus (16.04 LTS) | linux | Not affected |
| Bionic Beaver (18.04 LTS) | linux | Linux 4.15 – not affected Linux 5.4 (HWE) – mitigated in default configuration |
| Focal Fossa (20.04 LTS) | linux | Mitigated in default configuration |
| Jammy Jellyfish (22.04 LTS) | linux | Mitigated in default configuration |
| Noble Numbat (24.04 LTS) | linux | Mitigated in default configuration |
| Questing Quokka (25.10) | linux | Mitigated in default configuration |
| Resolute Raccoon (26.04 LTS) | linux | Mitigated in default configuration |
Confirm that the rds module is not currently loaded:
lsmod | grep -qE '^rds ' && echo "Module is loaded (vulnerable)" || echo "Module is NOT loaded"Ensure that the automatic loading of the module is disabled:
grep -rqE '^alias net-pf-21 off' /etc/modprobe.d/ && echo "Automatic loading disabled (NOT vulnerable)" || echo "Automatic loading possible (vulnerable)"Ensure that the module is not loaded at boot time:
grep -rqE '^rds' /etc/modules-load.d/ /usr/lib/modules-load.d/ && echo "Module is loaded at boot time (vulnerable)" || echo "Module is not loaded at boot time (NOT vulnerable)"No manual mitigation is necessary on default Ubuntu systems. If you previously enabled RDS on your systems, you may disable it from automatically loading again via:
rmmod rds
echo "alias net-pf-21 off" | sudo tee /etc/modprobe.d/blacklist-rds.confOnce kernel updates are available and installed, the mitigation can be removed if you must run RDS applications:
sudo rm /etc/modprobe.d/blacklist-rds.confWe recommend that you do not disable this mitigation unless you must run RDS.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。