In a concerning development for Linux kernel security, researchers have demonstrated how side-channel leakage in kernel defenses can be exploited to compromise even the latest Linux kernels.
The technique, detailed in a USENIX Security paper, reveals how certain kernel defenses inadvertently create exploitable patterns that allow attackers to bypass randomization protections.
By leveraging these patterns, attackers can reliably determine the locations of security-critical kernel objects, enabling stable and reliable privilege escalation.
The Linux kernel employs various security measures to protect against exploitation, with a fundamental defense being the randomization of memory locations for security-critical objects.
This randomization strategy aims to prevent exploitation or force attackers to locate these randomized locations before achieving system compromise.
However, the researchers found that specific patterns in the Translation Lookaside Buffer (TLB) – a CPU buffer that stores virtual-to-physical address translations – can be exploited to leak these protected locations.
GitHub analyst Lukas Maar, along with researchers from Graz University of Technology, identified this vulnerability through a systematic analysis of 127 kernel defenses recommended by the Kernel Self-Protection Project or used within Google’s KernelCTF bug bounty program.
Their findings revealed that three specific defenses – enforcing strict memory permissions or virtualizing the kernel heap or kernel stack – unintentionally create exploitable TLB contention patterns.
The researchers developed what they call “location disclosure attacks” combining kernel allocator massaging with TLB side-channel techniques.
These attacks can leak the locations of critical kernel objects such as page tables, heap objects, and kernel stacks in just 0.3 to 17.8 seconds with minimal false positives.
Alarmingly, these attacks work even on the most recent Linux kernel versions (up to v6.8) and modern Intel processors from 8th to 14th generation.
The TLB Side-Channel Attack Mechanism
The attack leverages how certain kernel defenses change memory mapping from 2MB to 4KB pages. When kernel defenses like CONFIG_STRICT_MODULE_RWX are enabled, they must split 2MB pages into 4KB pages to set proper permissions.
.webp)
This creates distinguishable TLB access patterns that attackers can observe.
The exploitation technique uses an “Evict+Reload” TLB side-channel attack to measure contention patterns and determine exactly where security-critical objects are located in memory.
The researchers demonstrate how enforcing strict memory permissions changes kernel memory mapping from 2MB to 4KB pages, creating exploitable TLB patterns.
The implications are significant as these attacks can re-enable previously neutralized exploit techniques and even enable new exploitation methods.
Perhaps most concerning is the researchers’ conclusion that one particular defense – the virtual stack defense – actually makes the system less secure due to these side-channel vulnerabilities.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
