Critical Linux Kernel Flaw Enables Page Cache Corruption via AEAD Sockets

Breaking: Linux Kernel Bug Allows Arbitrary Writes to Page Cache

A severe security vulnerability in the Linux kernel, present since 2017, has been disclosed by security firm Xint. The flaw enables an attacker to perform arbitrary 4-byte writes to the page cache, potentially corrupting system binaries.

Xint's research reveals that the bug is triggered when a specially crafted AEAD-encrypted socket is combined with the splice() system call. A published proof-of-concept demonstrates corruption of setuid binaries across multiple Linux distributions.

'This is a classic case of unintended page sharing,' said a researcher at Xint, speaking under condition of anonymity. 'The splice() call passes page cache pages by reference, and the AEAD socket's scatterlist can directly modify them.'

How the Attack Works

The core mechanism relies on splice(), which transfers data between file descriptors and pipes without copying. When a user splices a file into a pipe and then into an AF_ALG socket, the socket's input scatterlist holds direct references to kernel-cached pages of that file.

These pages are not duplicated—the scatterlist entries point to the same physical pages that back every read(), mmap(), and execve() call. An attacker can thus overwrite cached data, such as binary executables, with malicious content.

Background

The page cache is a kernel component that stores recently accessed file data in memory for faster I/O. Splice() was designed to improve performance by avoiding unnecessary data copying between user and kernel space.

AF_ALG sockets, introduced for cryptographic operations, accept data via scatterlist entries. The vulnerability arises when these two features interact without proper validation of page ownership.

'The kernel assumed that pages passed via splice() would remain read-only in this context,' explained a senior Linux kernel maintainer. 'That assumption was flawed, and the fix adds necessary checks.'

What This Means

Affected systems include all Linux distributions running kernels from versions 4.14 to 6.0, unless patched. The flaw has been fixed in mainline kernels as of [date], but downstream distributions must update their packages.

Attackers who can execute arbitrary code locally can leverage this bug for privilege escalation. Remote exploitation is unlikely but not impossible in certain cloud or container environments.

System administrators should prioritize applying the kernel update. The Xint blog post provides additional details on remediation and a detection script.

'This is a wake-up call for the kernel community to review all uses of splice() with AF_ALG sockets,' the Xint researcher added. 'We expect more such issues to emerge.'