Logic flaw in algif_aead lets an unprivileged user do controlled 4-byte writes into the page cache, corrupt privileged binaries, and escalate to root. No race, no offset dependencies. A 732-byte Python PoC roots Ubuntu, Amazon Linux, RHEL, and SUSE without modification. Surfaced by Theori’s Xint Code in roughly one hour of scan time. Interim mitigation: disable the algif_aead module.
← Findings
"Copy Fail": deterministic Linux kernel LPE on all major distros
Logic flaw in algif_aead lets an unprivileged user do controlled 4-byte writes into the page cache, corrupt privileged binaries, escalate to root. 732-byte PoC.