Overview
- Researchers disclosed Wednesday a 732‑byte Python proof of concept that turns any unprivileged account into root on most Linux releases built since 2017.
- The flaw sits in the kernel’s authencesn crypto path and, via AF_ALG sockets and splice(), lets a user write four chosen bytes into a file’s page cache, so a setuid tool like /usr/bin/su runs modified code from memory while the disk file stays unchanged.
- Because the page cache is shared across processes, the bug can break container isolation and let a low‑privilege pod or CI job take over a Kubernetes node or multi‑tenant server.
- Upstream is fixed by mainline commit a664bf3d603d and vendors are issuing or deploying patched kernels, with temporary mitigations including disabling the algif_aead module or blocking AF_ALG socket creation with seccomp.
- Xint/Theori found the bug using AI‑assisted code analysis, it carries a High CVSS 7.8 rating, and admins are urged to prioritize updates on multi‑user hosts, CI runners, and environments that execute third‑party code.