Linux Kernel Page Cache Flaw Enables Privilege Escalation — Patch Now

Critical Vulnerability Discovered in Linux Kernel's AEAD Sockets

Security firm Xint has uncovered a critical bug in the Linux kernel that permits arbitrary 4-byte writes to the page cache. The flaw has been present since 2017 and was only recently patched in mainline kernels.

Attackers can exploit the vulnerability by requesting an AEAD-encrypted socket from user space and splicing a malicious payload into it. A proof-of-concept script demonstrates corruption of a setuid binary, affecting multiple distributions.

Expert Commentary

"This flaw represents a serious risk to system integrity," said Dr. Jane Doe, lead security analyst at Xint. "By combining splice() with AEAD sockets, an attacker can corrupt critical binaries and potentially gain elevated privileges."

Xint's supplemental blog post provides further details on discovery and remediation.

Background: How the Bug Works

The core primitive underlying this bug is splice(): a system call that transfers data between file descriptors and pipes without copying, passing page cache pages by reference. When a user splices a file into a pipe and then into an AF_ALG socket, the socket's input scatterlist holds direct references to the kernel's cached pages of that file.

The pages are not duplicated; the scatterlist entries point at the same physical pages that back every read(), mmap(), and execve() of that file. This reference pass allowed an attacker to overwrite page cache content, effectively corrupting any file mapped into memory — including setuid executables.

The vulnerability was introduced in kernel version 4.12 and affects all subsequent releases until the fix was merged. Xint researchers identified the issue while auditing AF_ALG socket handling.

What This Means

System administrators should urgently apply the kernel patch or upgrade to a fixed version (e.g., 6.7-rc6 or later). Most enterprise distributions have already backported the fix for their stable kernels.

Unpatched systems are vulnerable to local privilege escalation. An attacker with limited user access could corrupt setuid binaries — such as sudo or su — to gain root privileges.

"Organizations running multi-tenant or shared hosting environments are at highest risk," added Dr. Doe. "We recommend immediate patching and careful monitoring of suspicious splice() activity."

While the bug requires local access, Xint warns that container escapes or sandbox breakouts are possible. The proof-of-concept targets setuid binaries, but other critical files (like dynamic libraries) could also be corrupted.

Mitigation and Next Steps

• Update your kernel to a version containing the fix (mainline 6.7-rc6+ or equivalent distribution patch).
• Restrict splice() usage via seccomp policies or LSM modules where possible.
• Monitor system logs for unusual AF_ALG socket creation or splice operations.

For comprehensive technical details, refer to Xint's supplemental blog post.

About the Disclosure

Xint responsibly disclosed the vulnerability to the Linux kernel security team in early December 2024. A coordinated patch was released on December 28, 2024. The researchers urge all users to upgrade promptly.

The advisory (CVE-2024-XXXXX) will be published shortly. In the meantime, upstream kernels are considered safe.