Critical Linux Kernel Bug Allows Arbitrary Page Cache Writes via AEAD Sockets

Introduction

Security analysis firm Xint has uncovered a significant vulnerability in the Linux kernel that has been present since 2017. This flaw permits arbitrary 4-byte writes to the page cache, potentially enabling an attacker to corrupt system binaries and escalate privileges. The bug has been confirmed on multiple distributions, and a proof-of-concept exploit demonstrates its severity. The good news: the issue has been patched in the mainline kernel. This article breaks down how the vulnerability works, its potential impact, and what has been done to fix it.

Understanding the Vulnerability

At the heart of this security flaw lies a core kernel primitive called splice(). This system call is designed for efficient data transfer between file descriptors and pipes, moving data without copying by passing page cache pages by reference. Normally, this optimization speeds up operations like streaming large files. However, when combined with AEAD-encrypted sockets via the AF_ALG family, it opens a dangerous door.

The Role of splice()

splice() works by taking pages from the page cache—kernel-managed memory that backs every read(), mmap(), or execve() call—and handing them directly to a pipe. If a user then splices that pipe into an AF_ALG socket (used for cryptographic operations), the socket’s input scatterlist ends up holding direct references to those same kernel-cached pages. Crucially, the pages are not duplicated; the scatterlist entries point at the physical memory pages that contain file data. This is where the vulnerability takes root.

AEAD Sockets and Scatterlist Exploitation

The AF_ALG socket type allows user-space applications to request cryptographic services, such as AEAD (Authenticated Encryption with Associated Data) encryption. By requesting an AEAD-encrypted socket and then splicing specific payload data into it, an attacker can manipulate the scatterlist to write arbitrary data into the page cache. Because the page cache holds data from cached files—including executable binaries and sensitive system files—a carefully crafted splice can corrupt a setuid binary, thereby gaining elevated privileges. The proof-of-concept provided by Xint demonstrates exactly this: it corrupts a setuid binary on multiple Linux distributions.

Impact and Proof of Concept

The vulnerability allows for 4-byte arbitrary writes to the page cache, which might seem limited, but is sufficient to overwrite critical security checks in a setuid binary. The PoC shows that an unprivileged user can trigger the bug and escalate to root. The flaw has been present since kernel version 4.x (2017), meaning a wide range of Linux systems—both desktop and server—could be affected if not patched.

Xint published a supplemental blog post detailing the discovery process and the remediation steps. They emphasize that while the bug is fixed in the mainline kernel, distributions undergoing long-term maintenance cycles may still be vulnerable until they backport the patch.

Fix and Timeline

The Linux kernel community responded quickly. The fix disables the problematic usage of splice() with AF_ALG sockets, preventing the scatterlist from holding direct references to page cache pages without proper checks. The patch has been merged into the mainline kernel, and distributions are encouraged to apply it as soon as possible.

Key dates:

• 2017: Bug introduced in the kernel.
• 2023: Xint discovers and reports the vulnerability.
• 2024: Fix merged into mainline kernel. PoC released.

Conclusion

This bug serves as a stark reminder of the complexity of kernel security—even well-established primitives like splice() can have unforeseen interactions with other subsystems. Users should update their kernels to the latest stable version or apply the appropriate patch from their distribution vendor. For system administrators, verifying that AF_ALG socket usage is restricted in untrusted environments can help mitigate risk until patches are applied.