Linux Kernel 5.4‑6.8 Local Privilege Escalation via AF_ALG Spoofing
What Happened – A publicly‑available exploit (EDB‑ID 52573) targets the AF_ALG (algif_aead) subsystem in Linux kernels 5.4 through 6.8. By abusing a splice()‑based file‑overwrite bug, an unprivileged user can overwrite /usr/bin/su in page cache and spawn a root shell. The exploit works on default Ubuntu 22.04 and Debian 12 installations where the algif_aead module is loaded.
Why It Matters for TPRM –
- Any third‑party service that runs unpatched Linux kernels (e.g., IaaS, PaaS, managed‑hosting, CI/CD runners) can be compromised by a low‑privilege insider or malicious tenant.
- Successful privilege escalation can lead to lateral movement, data exfiltration, or ransomware deployment against your customers’ workloads.
- No CVE has been assigned yet, meaning many vulnerability‑management tools may miss it.
Who Is Affected – Cloud‑infrastructure providers, SaaS platforms, managed‑service providers, and any organization that ships or hosts Linux‑based workloads without kernel hardening.
Recommended Actions –
- Verify that all Linux hosts are running kernel 6.9 or later, or apply the upstream patch that disables the vulnerable AF_ALG path.
- Audit kernel module loading policies; consider disabling
algif_aeadif not required. - Update vulnerability‑scanning rules to flag the EDB‑52573 exploit signature.
- Conduct privileged‑access reviews for any users with local shell access on shared hosts.
Technical Notes – The flaw resides in the AF_ALG algif_aead implementation; splice() can be coerced into overwriting arbitrary page‑cache pages, enabling arbitrary file overwrite. The exploit overwrites /usr/bin/su and executes embedded shellcode to launch /bin/bash as root. No CVE identifier has been assigned (CVE: N/A). Source: Exploit‑DB 52573