The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat.
4.4.0-150.1764.4.0-1084.944.4.0-1047.534.4.0-1110.1184.4.0-1114.1194.15.0-1053.575.4.0-1063.66+cvm2.25.4.0-1063.66+cvm3.25.4.0-1064.67+cvm1.15.4.0-1065.68+cvm2.15.4.0-1067.70+cvm1.15.4.0-1068.71+cvm1.15.4.0-1069.72+cvm1.15.4.0-1070.73+cvm1.15.4.0-1072.75+cvm1.15.4.0-1073.76+cvm1.1+16 more5.4.0-1033.355.4.0-1035.375.4.0-1036.385.4.0-1037.395.4.0-1039.415.4.0-1041.435.4.0-1042.445.4.0-1043.455.4.0-1044.465.4.0-1046.48+41 more5.3.0-1007.85.3.0-1014.165.3.0-1015.175.3.0-1017.195.4.0-1004.45.4.0-1006.65.4.0-24.285.4.0-26.305.4.0-27.315.4.0-28.325.4.0-30.345.4.0-31.355.4.0-33.375.4.0-34.385.4.0-36.415.4.0-37.42+2 moreExploitability
AV:LAC:HPR:LUI:NScope
S:UImpact
C:HI:NA:NCVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N