A recent Linux security hole allows local users to seize the power of root. We show the Linux bugs that came together to let it happen. Once all this has happened, control returns to vmsplice_to_pipe( ...