HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Local Privilege Escalation in Linux Kernel 5.4‑6.8 via AF_ALG Spoofing (EDB‑52573)

A publicly released exploit (EDB‑52573) leverages a splice() bug in the AF_ALG subsystem of Linux kernels 5.4‑6.8, allowing an unprivileged user to overwrite binaries and gain root. Cloud‑infrastructure and SaaS providers running unpatched kernels are at risk of tenant‑initiated compromise.

LiveThreat™ Intelligence · 📅 May 27, 2026· 📰 exploit-db.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

Linux Kernel 5.4‑6.8 Local Privilege Escalation via AF_ALG Spoofing

What Happened – A publicly‑available exploit (EDB‑ID 52573) targets the AF_ALG (algif_aead) subsystem in Linux kernels 5.4 through 6.8. By abusing a splice()‑based file‑overwrite bug, an unprivileged user can overwrite /usr/bin/su in page cache and spawn a root shell. The exploit works on default Ubuntu 22.04 and Debian 12 installations where the algif_aead module is loaded.

Why It Matters for TPRM

  • Any third‑party service that runs unpatched Linux kernels (e.g., IaaS, PaaS, managed‑hosting, CI/CD runners) can be compromised by a low‑privilege insider or malicious tenant.
  • Successful privilege escalation can lead to lateral movement, data exfiltration, or ransomware deployment against your customers’ workloads.
  • No CVE has been assigned yet, meaning many vulnerability‑management tools may miss it.

Who Is Affected – Cloud‑infrastructure providers, SaaS platforms, managed‑service providers, and any organization that ships or hosts Linux‑based workloads without kernel hardening.

Recommended Actions

  • Verify that all Linux hosts are running kernel 6.9 or later, or apply the upstream patch that disables the vulnerable AF_ALG path.
  • Audit kernel module loading policies; consider disabling algif_aead if not required.
  • Update vulnerability‑scanning rules to flag the EDB‑52573 exploit signature.
  • Conduct privileged‑access reviews for any users with local shell access on shared hosts.

Technical Notes – The flaw resides in the AF_ALG algif_aead implementation; splice() can be coerced into overwriting arbitrary page‑cache pages, enabling arbitrary file overwrite. The exploit overwrites /usr/bin/su and executes embedded shellcode to launch /bin/bash as root. No CVE identifier has been assigned (CVE: N/A). Source: Exploit‑DB 52573

📰 Original Source
https://www.exploit-db.com/exploits/52573

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →