Decade-Long Linux Kernel Flaw Enables Arbitrary Page Cache Corruption via AEAD Sockets

Introduction

A recently disclosed security vulnerability in the Linux kernel has raised alarms across the open-source community. Discovered and reported by security analysis firm Xint, this bug has lurked in the kernel codebase since 2017, enabling arbitrary 4-byte writes to the page cache. The flaw is particularly dangerous because it can be exploited from user space to corrupt sensitive system binaries, such as setuid executables, leading to full privilege escalation. The vulnerability has been confirmed on multiple Linux distributions, and proof-of-concept code is now publicly available. Fortunately, a fix has already been merged into mainline kernels, but patching all affected systems remains an urgent priority.

Background: The Splice System Call and AF_ALG Sockets

At the heart of this vulnerability lies the interaction between two important kernel features: the splice() system call and AF_ALG sockets. Understanding their normal operation is essential to grasping the bug.

The Splice Mechanism

The splice() system call is designed to transfer data between two file descriptors without copying the data through user space. Instead, it moves page cache pages by reference between a source file and a pipe, or between two pipes. This zero-copy approach significantly boosts performance for large data transfers, as the kernel can simply pass pointers to physical memory pages rather than duplicating their contents.

AEAD Sockets (AF_ALG)

The AF_ALG socket family provides user-space access to kernel cryptographic algorithms, including AEAD (Authenticated Encryption with Associated Data). Applications can open an AF_ALG socket, configure it for a specific cipher, and then read/write encrypted data. Under the hood, the socket uses scatter-gather lists to handle input and output pages efficiently.

How the Bug Works: A Flaw in Page Reference Handling

The vulnerability arises when a user combines splice() with an AF_ALG socket in a specific way. The core problem is that the kernel fails to protect the ownership of page cache pages once they are spliced into an AEAD socket's input scatterlist.

Exploitation Steps

1. Open a target file, such as a setuid binary, whose page cache pages will be corrupted.
2. Create a pipe and use splice() to transfer the file contents into the pipe. The kernel moves the page cache pages (not copies) into the pipe buffer.
3. Create an AF_ALG socket configured for an AEAD cipher and splice the data from the pipe into that socket. The socket's input scatterlist now holds direct references to the same physical pages that back the original file.
4. Modify those pages through the socket interface by injecting carefully crafted encrypted payloads. Because the pages are shared, any writes performed by the cryptographic operation — even those intended only for the socket's internal buffers — can corrupt the page cache pages of the original file.

What an Attacker Can Achieve

The proof-of-concept script released by Xint demonstrates that an attacker can perform arbitrary 4-byte writes to the page cache. By targeting a setuid binary (e.g., /usr/bin/su or /usr/bin/sudo), the attacker can overwrite critical instructions or data. This corrupts the binary each time it is read, mmap()'ed, or execve()'ed, ultimately allowing the attacker to run arbitrary code with elevated privileges.

Impact and Severity

The bug is severe for several reasons:

• Wide Attack Surface: Any system with an unpatched kernel (versions since 2017) is vulnerable. Major distributions such as Ubuntu, Debian, Fedora, and CentOS have all been confirmed affected.
• Low Complexity Exploit: The proof-of-concept code runs entirely from user space, requiring no special capabilities beyond the ability to open AF_ALG sockets (which is typically allowed for unprivileged users).
• Privilege Escalation: Corrupting a setuid binary is a classic path to gaining root access. An attacker already holding a low-privileged shell can escalate to full administrative control.
• Persistence: Since the corruption happens in the page cache, it affects all subsequent accesses to the same file until it is evicted or the system is rebooted. The underlying file on disk remains uncorrupted, but every process that loads the binary will see the tampered version in memory.

Remediation and Patches

The Linux kernel development community has already applied a fix to the mainline kernel. The patch, which can be tracked via the commit history, addresses the root cause by ensuring that pages spliced into an AEAD socket's scatterlist are properly referenced and that the socket does not retain writable references to the original cache pages once the cryptographic operation completes.

What Users Should Do

• Update your kernel to a version containing the fix. Most distributions will release updated packages within days.
• Monitor distribution security advisories for the specific kernel version and package name.
• If you cannot update immediately, consider restricting access to AF_ALG sockets (via seccomp or LSM policies) or even disabling the AF_ALG socket family entirely, though this may break legitimate use cases.

Conclusion

The discovery of this long-lived kernel bug underscores the complexity of modern operating system design. The interaction between splice() and AF_ALG sockets was simply never anticipated to allow page cache corruption. Xint's responsible disclosure and the rapid development of a patch are commendable, but the incident serves as a reminder that even mature codebases can harbor subtle flaws for years. System administrators and security teams should prioritize patching this vulnerability, as the proof-of-concept code lowers the barrier for real-world exploitation.

For a deeper technical dive, readers are encouraged to consult Xint's supplemental blog post (link to their actual blog). The fix commit itself provides a clean illustration of how to prevent such page reference errors in the future.