View at Official redhat advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
A flaw was found in the Linux kernel's RxRPC networking subsystem. When a non-linear socket buffer carrying a splice-pinned page-cache reference reaches the RxRPC authentication verification path, the kernel performs an in-place pcbc(fcrypt) decryption directly on the referenced page-cache page without first isolating the buffer with skb_copy(). An unprivileged local attacker can exploit this behavior to corrupt the page-cache contents of readable files, including sensitive system files such as /etc/passwd, and obtain root privileges. Unlike the ESP/XFRM variant, exploitation does not require unprivileged user or network namespaces, but depends on the RxRPC protocol stack (rxrpc.ko) being available on the target system.
A flaw was found in the Linux kernel's RxRPC networking subsystem. When a non-linear socket buffer carrying a splice-pinned page-cache reference reaches the RxRPC authentication verification path, the kernel performs an in-place pcbc(fcrypt) decryption directly on the referenced page-cache page without first isolating the buffer with skb_copy(). An unprivileged local attacker can exploit this behavior to corrupt the page-cache contents of readable files, including sensitive system files such as /etc/passwd, and obtain root privileges. Unlike the ESP/XFRM variant, exploitation does not require unprivileged user or network namespaces, but depends on the RxRPC protocol stack (rxrpc.ko) being available on the target system.