Urgent: A severe security vulnerability in the Linux kernel, present since 2017, has been publicly disclosed by security analysis firm Xint. The flaw allows attackers to perform arbitrary 4-byte writes to the page cache, which can be exploited to corrupt setuid binaries and escalate privileges on affected systems.
The vulnerability has been patched in the latest mainline kernel versions. However, a proof-of-concept (PoC) exploit demonstrates that the bug is trivially reproducible on multiple Linux distributions, including Ubuntu, Debian, and Fedora.
Background: How the Bug Works
The core of the vulnerability lies in the interaction between the splice() system call and AF_ALG sockets used for AEAD (Authenticated Encryption with Associated Data) encryption. splice() transfers data between file descriptors and pipes without copying, instead passing page cache pages by reference.
When a user splices a file into a pipe and then into an AF_ALG socket, the socket's input scatterlist holds direct references to the kernel's cached pages of that file. These pages are not duplicated; the scatterlist entries point at the same physical pages that back every read(), mmap(), and execve() of that file.
“The fundamental issue is that the kernel’s memory management assumes pages are never modified while referenced by a page cache descriptor, but the AF_ALG path allows arbitrary writes through the scatterlist,” said Dr. Elena Torres, lead security analyst at Xint.
The PoC script works by requesting an AEAD-encrypted socket from user space and splicing a specially crafted payload into it. This payload, when processed by the kernel’s encryption routine, writes four bytes to an arbitrary offset in the page cache. By carefully selecting the offset, an attacker can modify a setuid binary's code in memory, effectively gaining root privileges when the binary is executed.
What This Means for Linux Users
This bug is rated high severity because it enables privilege escalation from a local, unprivileged user account. Since the page cache is shared across all processes, an attacker could potentially corrupt any file that is currently cached—including system binaries, shared libraries, or even the kernel image itself.
“The arbitrary 4-byte write is precisely controlled, making it a reliable vector for mounting attacks against setuid executables,” explained Mark Chen, senior researcher at Xint. “We have verified the exploit on multiple distros with default configurations.”
Administrators and security teams should immediately prioritize patching their systems. The fix has been backported to stable kernel branches, and most major distributions are expected to release updates within 24 hours.
Long-Term Implications
While the immediate vulnerability is patched, the underlying architectural issue—where page cache references can be hijacked via splice and crypto sockets—remains a concern. Future attacks could exploit similar interactions between splice() and other kernel subsystems.
What to do now:
- Update your kernel to the latest patched version (5.15.10+ or 5.10.90+).
- If patching is delayed, restrict access to
AF_ALGsockets via seccomp or SELinux policies. - Monitor for unusual filesystem modifications, especially to
/usr/binbinaries.
“This isn't just a single bug—it's a wake-up call for the kernel community to re-verify assumptions about non-copying data paths,” Dr. Torres concluded.
For full technical details, refer to Xint’s supplemental blog post.