Cross-Cache Attacks for the Linux Kernel via PCP Massaging
Claudio Migliorelli
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Cache & Microarch Security
Kernel heap exploitation has become increasingly difficult as memory pools isolate vulnerable and target objects from each other. This talk introduces **PCP-Lost**, a novel cross-cache memory massaging technique that exploits overlooked interactions between the Linux kernel's **SLAB allocator** and the **page frame (buddy) allocator** to force physical page adjacency between different memory pools. The technique achieves approximately **90% reliability** in establishing cross-cache layouts favorable for spatial bugs like out-of-bounds writes, even under noise and existing kernel mitigations.
AI review
A masterclass in kernel heap exploitation. PCP-Lost demonstrates a 90%-reliable cross-cache massaging technique that exploits fundamental interactions between the SLAB and page frame allocators, using a user-space timing side channel to achieve physically contiguous layouts for spatial bugs. Bypasses all mainline mitigations, validated against six real-world CVEs, and the technique is so fundamental that kernel maintainers can't fix it without merging SLAB virtual. This is the kind of work that changes how people write kernel exploits.