Overview of the Vulnerability
A recently disclosed security vulnerability in the Linux kernel, present since 2017, allows attackers to perform arbitrary 4-byte writes to the page cache. The flaw, discovered by security analysis firm Xint, has been patched in mainline kernels. A proof-of-concept demonstrates how malicious actors can corrupt setuid binaries across multiple Linux distributions by exploiting AEAD-encrypted sockets.
At the heart of this issue lies the splice() system call, which transfers data between file descriptors and pipes without copying—by referencing page cache pages directly. When a user splices a file into a pipe and then into an AF_ALG socket, the socket's input scatterlist holds direct references to the kernel's cached pages of that file. These pages are not duplicated; the scatterlist entries point at the same physical pages used by every read(), mmap(), and execve() operation on that file.
The Vulnerability in Detail
How splice() Enables the Attack
The splice() system call is designed for high-performance I/O. By transferring pages by reference, it avoids memory copy overhead. However, this zero-copy mechanism becomes dangerous when combined with cryptographic operations. In this bug, splicing a file into an AEAD (Authenticated Encryption with Associated Data) socket causes the kernel to place page-cache pages directly into the scatterlist used for encryption. Because the pages are shared, any modification via the socket's output affects the original cached content—leading to corruption of arbitrary 4-byte chunks.
AEAD Sockets and AF_ALG
The AF_ALG (Algorithm) socket family allows user-space applications to request kernel-level cryptographic operations. AEAD sockets specifically handle authenticated encryption. The vulnerability arises when a splice() request feeds data into such a socket. The kernel fails to properly duplicate pages before placing them in the scatterlist, meaning writes to the socket's output can overwrite the underlying page cache. This gives an attacker the ability to write four bytes at an arbitrary offset into any file whose pages are cached—including executables used in setuid binaries.
Proof of Concept and Impact
Xint released a proof-of-concept script that demonstrates the attack. It works by requesting an AEAD-encrypted socket from user space, splicing a carefully crafted payload into it, and then exploiting the direct page references to corrupt a setuid binary. The script successfully compromises multiple popular distributions, highlighting the widespread risk. An arbitrary 4-byte write can be used to overwrite critical security flags, alter executable code, or inject malicious instructions—sufficient to escalate privileges or break out of sandboxes.
While the write size is limited to 4 bytes, attackers can chain multiple iterations or target specific memory offsets to achieve full system compromise. The bug has existed since kernel version 4.12 (2017), meaning many long-term support (LTS) systems remain vulnerable if not updated.
Remediation and Patches
The vulnerability has been fixed in mainline Linux kernels. The patch ensures that pages transferred into AF_ALG sockets are properly copied before being placed in scatterlists, severing the dangerous direct reference to the page cache. System administrators are urged to apply the latest kernel updates immediately. For distributions that backport fixes, check advisories from your vendor. Xint’s supplementary blog post provides further technical details on the discovery and remediation process, including the exact commits that resolve the issue.
Conclusion and Mitigation Steps
This bug underscores the risks inherent in zero-copy I/O mechanisms when combined with feature-rich subsystems like cryptographic sockets. The combination of splice() and AF_ALG created a path for arbitrary page cache corruption that went unnoticed for years. To protect your systems:
- Update your kernel to the latest stable version that includes the fix (starting from 5.10.x, 5.15.x LTS, and newer).
- Monitor security advisories from your Linux distribution for backported patches.
- Restrict use of AF_ALG sockets in user-facing applications if possible, until all systems are patched.
The flaw serves as a reminder that even mature codebases can harbor subtle vulnerabilities. Proactive patching remains the best defense against privilege escalation attacks.