732-byte Python script exploits a logic flaw in authencesn chained through AF_ALG and splice() into a 4-byte page-cache write for 100% reliable LPE on every Linux kernel since 2017.
Key Takeaways
Straight-line logic flaw: no race window, no kernel-specific offsets, just authencesn + AF_ALG + splice() into a writable page-cache scatterlist.
One unmodified script roots Ubuntu 24.04, Amazon Linux 2023, RHEL 14.3, and SUSE 16 — same binary, same result.
Container escape primitive: page cache is shared across the host, so a pod with the right primitives compromises the node and crosses tenant boundaries.
Highest-risk surfaces: multi-tenant shell hosts, self-hosted CI runners executing untrusted PR code, and cloud agent sandboxes running tenant-supplied scripts.
Pre-patch mitigation: add algif_aead /bin/false to /etc/modprobe.d and rmmod algif_aead; full fix is mainline commit a664bf3d603d, now shipping in major distros.
Hacker News Comment Review
Vendor response has been inconsistent: RedHat classified this as “Moderate severity, Fix deferred” and several major distros still show it unpatched despite the mainline commit landing on 2026-04-01.
On RHEL 9/10, algif_aead is compiled in rather than a loadable module, so rmmod mitigation fails; systemd socket-level restrictions via drop-ins are the practical pre-patch workaround on those systems.
A Linux kernel crypto contributor argues AF_ALG should not exist at all: added years ago without adequate review, it exposes a large attack surface to unprivileged userspace when userspace crypto libraries already cover the same use cases.
Notable Comments
@arcfour: The disclosure page omits exact vulnerable and patched kernel version ranges; linux-cve-announce mailing list confirms fix in 6.18.22 with commit fafe0.
@jesse_dot_id: Notes the compounded risk for AI agent deployments: local user execution plus LPE plus a prompt injection technique equals host root.
