In early 2024, security researchers at Xint uncovered a dangerous vulnerability buried within the Linux kernel’s cryptographic socket handling. This bug, present since 2017, allows attackers to corrupt sensitive kernel memory by exploiting a combination of AEAD sockets and the splice() system call. Below are the five essential details you must understand about this flaw, its exploitation, and how it has been resolved.
1. The Bug: Arbitrary 4-Byte Writes to Page Cache
At its heart, this vulnerability enables an attacker to perform uncontrolled 4-byte writes directly into the kernel’s page cache. The page cache stores recently accessed file data, meaning a corruption here can affect any process reading or executing those files. By carefully crafting the write offset, an attacker can overwrite critical metadata within a file’s cached pages. This primitive is especially dangerous because it bypasses normal memory protections and can be triggered from user space without special privileges. The bug was introduced in Linux kernel version 4.12 (2017) and affects all subsequent releases until the fix was merged. It was discovered and responsibly disclosed by Xint, who also provided a proof-of-concept exploit to demonstrate its severity.
2. The Role of splice() in the Attack
The splice() system call is a zero-copy mechanism that transfers data between file descriptors and pipes without copying data through user space. Instead, it passes page cache pages by reference. The vulnerability arises when an attacker splices a file into a pipe and then into an AF_ALG socket configured for AEAD encryption. The socket’s input scatterlist ends up holding direct references to the kernel’s cached pages of that file. Because these pages are not duplicated, any modification via the socket directly alters the page cache. The attacker can then request an AEAD-encrypted socket and splice a malicious payload into it. The socket interprets the payload as encryption input, but due to a missing boundary check, it writes beyond the expected area, corrupting adjacent page cache entries.
3. Corrupting Setuid Binaries for Privilege Escalation
The proof-of-concept from Xint demonstrates how the bug can be weaponized to corrupt a setuid binary—such as /usr/bin/su or /usr/bin/sudo. By splicing a crafted payload into an AEAD socket, the attacker can overwrite specific bytes in the binary’s cached pages. This changes the binary’s behavior while it is being executed by another process, potentially granting elevated privileges. The exploit works across multiple Linux distributions, including Ubuntu, Debian, and Fedora. Because the corruption happens in the page cache, even read-only file systems are vulnerable if the file is cached. The attack does not require physical access; it can be executed remotely if an attacker has user-level access to the system.
4. Affected Versions and Disclosure Timeline
The bug was introduced in Linux kernel version 4.12 (released July 2017) and remained undetected for over six years. Xint discovered the flaw and responsibly reported it to the Linux kernel security team. A patch was developed and merged into the mainline kernel on February 15, 2024. All stable and long-term support (LTS) kernels downstream have since received the fix. Users are strongly advised to update to kernel versions 6.8.1 (stable) or later, or to apply the corresponding backported patch for their distribution. The vulnerability does not affect older kernels (pre-4.12) or non-Linux systems. Administrators should check their kernel version using uname -r and update promptly.
5. Mitigation and Lessons Learned
The official patch addresses the root cause by adding proper length validation in the AEAD socket’s scatterlist handling. Specifically, it verifies that the total input size does not exceed the allocated buffer before processing. For systems that cannot immediately patch, administrators can mitigate the risk by disabling the AF_ALG socket family if it is not required, using kernel module blacklisting (blacklist algif_skcipher). Additionally, restricting the use of splice() through security modules like SELinux or AppArmor may limit exploitability. The incident highlights the dangers of zero-copy APIs and the importance of rigorous boundary checks in kernel subsystems. Xint’s discovery and responsible disclosure have made Linux more secure, but the lengthy presence of the bug underscores the need for continuous auditing of critical kernel code.
In summary, the AEAD socket vulnerability was a serious kernel flaw that allowed page cache corruption via a clever splice-based attack. It has been fixed, and all users should update their kernels immediately. By understanding how the bug works and its impact, system administrators can better appreciate the importance of prompt patching and the subtle dangers of kernel-level data sharing mechanisms.