{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreihbfkciyo3mdxaslmogiiubpo7f6tp5azxiqsvsiicsrle7fwy7ym",
    "uri": "at://did:plc:b3tz6srl4ochk2wxn6dv6xpy/app.bsky.feed.post/3mkoen4zk5sq2"
  },
  "path": "/Articles/1070454/",
  "publishedAt": "2026-04-30T00:01:05.000Z",
  "site": "https://lwn.net",
  "tags": [
    "Xint",
    "a security bug",
    "been fixed",
    "proof-of-concept script",
    "supplemental blog\npost"
  ],
  "textContent": "Security analysis firm Xint has disclosed a security bug in the Linux kernel that allows for arbitrary 4-byte writes to the page cache, and which has been present since 2017. The vulnerability has \nbeen fixed in mainline kernels. A \nproof-of-concept script demonstrates how to use the flaw to corrupt a setuid binary, which works on multiple distributions, by requesting an AEAD-encrypted socket from user space and splicing a particular payload into it. A supplemental blog\npost gives more details about the discovery and remediation.\n\n> A core primitive underlying this bug is splice(): it transfers data between file descriptors and pipes without copying, passing page cache pages by reference. When a user splices a file into a pipe and then into an AF_ALG socket, the socket's input scatterlist holds direct references to the kernel's cached pages of that file. The pages are not duplicated; the scatterlist entries point at the same physical pages that back every `read()`, `mmap()`, and `execve()` of that file.",
  "title": "A security bug in AEAD sockets"
}