Old Attack, New Speed: Researchers Optimize Page Cache Exploits

The page cache, a core component of modern operating systems, stores recently accessed file‑backed pages to accelerate I/O operations. While its performance benefits are well known, security researchers have long recognized that the cache can leak timing information. In 2019, academic teams demonstrated proof‑of‑concept attacks on both Windows and Linux, but the high latency of cache‑flush operations—on the order of hundreds of milliseconds—limited practical exploitation. The new study from TU Graz shatters that barrier, showing flush times of 0.8 µs and full attack loops completing within 2 µs, a speedup of five to six orders of magnitude.

This dramatic acceleration expands the realistic threat surface for unprivileged malware. Attackers can now monitor the presence of specific binaries or libraries with microsecond precision, enabling synchronized phishing overlays, real‑time key‑logging, and inter‑keystroke timing attacks that recover passwords. In containerized environments, a compromised container can observe the page‑cache activity of neighboring containers, breaking the isolation guarantees that Docker and Kubernetes rely on. Even user‑level applications such as browsers or communication tools become observable, allowing adversaries to infer visited websites or voice‑channel participation without touching network traffic.

Only a single vulnerability, CVE‑2025‑21691, has been patched since the findings were disclosed, leaving most of the attack surface exposed in current Linux kernels. Mitigation strategies include disabling page‑cache timing channels, tightening container isolation, and deploying kernel hardening patches that randomize cache eviction. Security teams should prioritize monitoring for anomalous cache‑flush patterns and consider integrating hardware‑based side‑channel defenses. As researchers continue to refine microarchitectural exploits, the industry must treat page‑cache side channels with the same urgency as Spectre‑type vulnerabilities to protect enterprise workloads.