A team of researchers from the Graz University of Technology (TU Graz) in Austria has revived Linux page cache attacks, demonstrating that they are not as impractical as previously believed.
Page caches are designed to store file-backed memory pages, such as application binaries, libraries, and data files. By keeping a copy of recently accessed disk data in the system’s memory, the operating system can fulfill subsequent requests more quickly, significantly improving overall performance.
Back in 2019, researchers from the Austrian university and several other organizations showed that Windows and Linux page caches can be abused for both local and remote attacks.
The experts demonstrated that attackers could use an unprivileged piece of malware running on the targeted system to create covert channels and steal sensitive user data via phishing, keylogging, and password reconstruction.
In a new paper published on Thursday, TU Graz researchers detailed new page cache attack techniques that target Linux (kernel versions between 2003 and present day) and are significantly faster than the previous ones.
For instance, an operation called ‘flushing’ (ie, removing a page from the cache) takes only 0.8 microseconds compared to 149 milliseconds in the previous work, according to Sudheendra Raghav Neela, one of the researchers involved in the project.
“We achieve a full attack loop in just 0.6-2.3 microseconds — over 5 to 6 orders of magnitude faster than prior page-cache attacks,” the researcher told SecurityWeek.
The experts demonstrated several theoretical attack scenarios that a threat actor with access to the targeted machine can execute.
By monitoring memory pages associated with a specific binary, an attacker can determine when a user is prompted for a password, allowing them to launch a synchronized phishing overlay or a keylogger at the precise moment the victim is expecting to enter sensitive credentials.
The researchers also showed that inter-keystroke timing attacks can be conducted to infer sensitive information, such as passwords, by measuring the precise time intervals between consecutive keystrokes.
In a Docker environment, an attacker with access to a container can see which files another container accesses, breaking isolation and enabling the threat actor to spy on processes running in supposedly secure environments.
Another attack scenario involved the Discord application, allowing an attacker to determine specific user actions, such as joining a voice channel and playing a video.
Finally, an attack — the only one not previously demonstrated — that monitors the page cache for specific libraries or resource files used by Firefox to identify websites accessed by the targeted user.
The findings were reported to the Linux kernel security team in January 2025, but only one issue, tracked as CVE-2025-21691, has been mitigated.
The attack surface remains, and all the techniques described in the new paper continue to work against current kernel versions, the researchers pointed out.
Related: New ‘StackWarp’ Attack Threatens Confidential VMs on AMD Processors
Related: UEFI Vulnerability in Major Motherboards Enables Early-Boot Attacks
Related: Intel, AMD Processors Affected by PCIe Vulnerabilities
